Slashdot Mirror
Another School Exposes Private Information
DutchSter writes "In the wake of other schools announcing the theft of hardware containing sensitive student information, Miami University, of Oxford, Ohio, has announced that a file containing the name, Social Security number, the grade point average for the Fall 2002 semester, cumulative grade point average, and other related academic information, such as credit hours attempted that semester, for all 21,000 students who attended the Fall 2002 term has been available on a web server for the last three years. The discovery was made this week and the university is taking steps to deal with the fall-out sure to come."
they figured this out after it showed up on Google? What ever happened to auditing what you have on the web.
-nick
the university will refund their tuition for the year.
that's what i would expect at a minimum. on top of other punishment for letting it happen in the first place.
this only reinforces the notion i have that there is absolutely no privacy. once your data is in someone elses hands (and all your data does in fact belong to them) you can kiss your privacy goodbye.
there is no recourse whatsoever. you cannot even sue them or ask for damages.
your personal data is obviously worth something to sell to third party "warehouses" but when they expose your data to the whole world, at that point it ceases to be worth anything...
Science : Proprietary , Knowledge : Open Source
Last year, UConn, my college, had a privacy breach where lots of SSN's were leaked. This year, they've made a committee to figure out ways in which they can remove SSN's from as many internal processes as possible.
Last year, a student's ID was their SSN. Now, it's an ID assigned by our peoplesoft system. If i forget my ID at, oh say, the campus book store *shudder*, they can't look it up w/ my social. Like I said, good things can sometimes come out of these events.
But the problem here is human error. If the ex-chair or whoever that was, took the file and put it into his public folder, no security, no firewall, no isolated mainframes are going to help.
The SSN's have to be given to your school if you want to be eligable for loans. However, it seems like the file that was left open related to just academic information like GPA and credit hours and such. What is probably the case is that the university uses student's SSNs as their university ID number, or at least they did at the time. It's fairly common practice at colleges, and only recently have legislative steps been taken to end this practice of flaunting your SSN on all your university documents. In my freshman year of college (2000-01), my student ID was my SSN and my ID card had my SSN printed on it, but during that year New York passed some legislation making it so that universities had to assign independent student ID numbers to students that were not related to SSNs, so for the 01-02 year everbody was given a new ID number and card. So back to this case, the reason the SSNs were leaked was probably that all the student's had their ID number next to their name in the file which was their SSN, and it wasn't necessarily a leak of financial information.
I understand that it is the easy thing to do but with all the compromises of data recently it seems that the inconveinience of unique numbers for different institutions would be a valid approach. Data theft is like gambling. In Vegas you can't lose what you don't bet. On the web you can't have data compromised if you don't put it on the network.
A lot of universities have not-well-advertised public ftp servers that are used for transferring large files, generally with scripts that scrub things that have been around for more than a day to avoid turning into warez servers. I know of one multi-campus institution where an employee at one campus and their counterpart at another campus agreed to use this method to transfer a list of all currently enrolled students at one of the campuses. This included phone numbers, addresses, and student ID numbers, which were mostly SSNs, because that was the default and most students didn't know to ask for a different ID number. Once the transfer was complete and they discovered they could not delete files from this server, they called support, and it was gone in under 5 minutes. They'd already had it drilled into their heads how bad it would be if such a list got out, but no procedure for securely transferring very large files had been established, and they did not have the technical expertise to establish one themselves.
I imagine this happens a lot, especially at research institutions whose scientists need to be able to receive large amounts of data from collaborators without having to set up accounts for them.
There's no failure quite as dissatisfying as a complete and total solution to the wrong problem.
I don't think I'd want to work at J Crew U (it's a well deserved nickname because the university largely peopled by wannabe preps who think that J Crew is the height of fashion).
If the attitude of the students is any reflection on the attitude of the staff, I'd want to beat people there...
Everything I need to know I learned by killing smart people and eating their brains.
I could be wrong here. If someone knows a way to scan an entire enterprise, when you don't have admin access to a number of the systems, and you don't have a list of all of the programs which are in use (so you don't know all the proprietary data formats), I would love to hear about your solution. Oh, you probably also need to be able to search documents and databases for encrypted versions, even though you don't have the keys... Management at the university I work for asked how we could scan the enterprise to find all sensitve data after we had a similar incident.
The person who posted the data on the website is clearly the one who is responsible for that data. That would be the retired faculty member. An admin is responsible for keeping the web server running. Was the information available on the Internet? If so, the admin was doing a their job well.
There are some fundamental questions universities need to be asking themselves:
Why doesn't the government step in in these situations? Clearly this is a FERPA violation on a huge scale. The individual who put the information on the website ultimately should be held accountable. If nothing else, action should be taken against the university. If the university gets more than a slap on the wrist, you can bet that the next person to do something dumb like this will be held accountable by the university.
I probably shouldn't ask for that, as they'll probably decide it's the sys admin's fault...
* Why do faculty members have access to Social Security numbers?
* What are you doing with Social Security numbers to begin with? Sure, you need them for employees, but why for students?
* Why do faculty members have access to other sensitive pieces of data? If they don't need it, they shouldn't have access (principal of least privilege)
Trying to keep my submission short, I didn't include my commentary on these items, but as an alum from 2003, I can explain a little bit of this...
At the time, the school was using SSNs. Although students had "Banner IDs" since about a year before, all the internal systems were still keyed on SSNs, the Banner ID was a simple lookup table. Right after I graduated in May of 2003, they did a full conversion and everyone had to get new IDs, which previously, had been encoded with SSNs. After the conversion, it was the other way around, where the Banner ID was the key for everything, and there was a lookup table to go the other way. That lookup table, by the way, was only available to a small number of offices that actually needed it, such as the Student Aid office. Even the Registrar couldn't look you up by social anymore.
None of this answers to me, however, why a faculty member of the Business School needed or was given access to the entire University. At work, I can pull up the performance reports and salary information for the team I supervise, and, with deapartment head approval, anyone in the department. I cannot, however, pull up anything related to what someone in Marketing does. I only took two classes in the Business school, and both were in 2000. As such, the Business School had no need or right to know anything about me in 2002 other than the fact that I was an active student.
It's a good thing I hadn't sent in my "Deans Fund for Excellence" donation yet. I know what I'll be returning in that postage paid envelope now.
. . . unfortunate incidents are blown out of proportion or even engineered by the IT establishment at these colleges as a ploy for more authority and better funding. Whether or not that's the case, it'll certainly be the result.
I too have felt the cold finger of injustice.
"A lot of universities use SSNs as student IDs which is really retarded."
My University used to do this, but changed their policy after 2000. Their reasoning was that federal law had made it illegal to use SSNs in any form, including just part of the SSN, as identification.
Anyway, it seems my school was ahead of the curve for once.