Slashdot Mirror
Another School Exposes Private Information
DutchSter writes "In the wake of other schools announcing the theft of hardware containing sensitive student information, Miami University, of Oxford, Ohio, has announced that a file containing the name, Social Security number, the grade point average for the Fall 2002 semester, cumulative grade point average, and other related academic information, such as credit hours attempted that semester, for all 21,000 students who attended the Fall 2002 term has been available on a web server for the last three years. The discovery was made this week and the university is taking steps to deal with the fall-out sure to come."
...and where do I send my resume ?
you think it's easy, but you're wrong...
I know this is a major breach of privacy/security, but I'm curious about what kinds of malicious things one could do with this information.
It seems to me that the only useful thing is the names/SSN combination.
Unless you could blackmail some poorly-achieving students by threatening to tell their parents their real marks?
"A week in the lab saves an hour in the library"
Miami University... must be in Florida.
Oh, it's in Oxford... must be in England.
Bzzzzzt. BUT NO! It's in Ohio!
It must have taken a long time to come up with that combination of naming and placement.
My photolog
The space where the data was hosted was in a public space. The problem was that the ex-chair put the private files in public space. Since then, the IT dept. responsible for the business dept. (not our central IT Services) has since made all of those files unavailable to unauthenticated users.
Miami University...in Oxford...Ohio.
Met a girl from Miami that went to Oxford, and didn't like the song "Ohio." Seems a little less obscure, too. Yet, this school has 21,000 students? I mean...that's more than the real Oxford...the one that's not in Ohio, but has students from Miami...
the university will refund their tuition for the year.
that's what i would expect at a minimum. on top of other punishment for letting it happen in the first place.
this only reinforces the notion i have that there is absolutely no privacy. once your data is in someone elses hands (and all your data does in fact belong to them) you can kiss your privacy goodbye.
there is no recourse whatsoever. you cannot even sue them or ask for damages.
your personal data is obviously worth something to sell to third party "warehouses" but when they expose your data to the whole world, at that point it ceases to be worth anything...
Science : Proprietary , Knowledge : Open Source
No school needs an SSN. For that matter just say no to giving it to anybody but the IRS and your financial institutions. Your doctor doesn't need it. The gas company doesn't need it. Cingular and Earthlink don't need it.
The city in Florida sprung up at the end of the 1800s, and adopted the name because they thought it meant something vaguely pleasant regarding water.
So if anybody's ignorant, it's actually the clowns in Florida.
I got some inside information on the real story...
Apparantly there's this list of all the students academic info that's sent out to all the Deans each semester. One of the Deans gave it to another professor for whatever reason and that professor accidently puts it on a public drive and forgets about it for 3 years.
Nice. Real nice.
A lot of times it is not administrators who are directly doing this (i.e. its much bigger than one person or they have no real way of knowing). Information security is far more than simply one person's job. Everyone who has access to information - even the poor grad student who does backups on Sunday nights - should be responsible in some way for security.
It takes a lot of work to make strong, accountable policies and carefully define simple, but narrow ways of accessing information (i.e. not just dumping the student records excel file in the share folder). For example, everyone on campus has network access which is most often directly linked to online access. If one person screws up and misuses their data access priveleges by opening up information over the network, it is very hard to tell unless you have accountability in place. And how many places do security reviews?
When it becomes part of people's jobs to protect information, it will become a responsibilty. Right now, blaming one or two people is rarely a good solution. It's like someone who blames an outsourced medical transcripts worker in Pakistan for leaking information. Sure, it is there fault but the problem is much larger than one low-paid worker. Executive or peon, security is a group responsibility in information-rich, networked environments.
Over the Summer, my school's district replaced their old SIS (Student Information System) with "SchoolMAX", designed by Maximus. After talking to a guidance counselor regarding schedule modifications, I noticed her log in to the new system - I noticed it required 4 credentials, one which the counselor left blank, and I made a mental note to Google the name of the system for more info on it for curiosity sake. The counselor printed me my new schedule, right from the web page. Sweet, thanks for doing the work for me - the URL was on the bottom of the sheet. I got home, hopped on the web, and keyed in the URL. The credentials required were school district, operator ID, password, and screen ID. Screen ID was what the counselor had left blank, so I was down to 3. I figured school district would be available online - a quick Google search confirmed this, and I was down to 2 fields remaining. There doesn't seem to be any real security on the site, and I predict a simple brute force or something more practical such as social engineering would enable anyone to an entire district worth of information.
Before you start blaming every CS student maybe you should read the full explanation on their site, which among other things says:
"On Monday, September 12, 2005, Miami University became aware that a grade report from the Fall 2002 semester had been unwittingly placed by a now-retired faculty member into a file that was accessible via the Internet.
Note the 'retired faculty member'. Not a student or a hacker.
This seems like a common problem, how does one protect again appending sensitive information from a protected document into an ordinary text or non-sensitive file? Is there a technology out there that can mark the data so it can not be copied into another file even though it is accessible to some. Apparently the 'now retired faculty member' had access to the file. Probably used cut and paste to imbed it into a file he/she could access from home/laptop etc. We had lots of problems like this at government locations I worked at
I understand your anger but this does not seem to be a malicious act, it appears to be an honest screw up and is not like the stupidity of Citibank sending their files via un-encrypted tapes by UPS.
The school seems to be handling this OK.
It's named after the Miami tribe of Native Americans who used to live in the area. I go there, and yeah it's a joke. I'm just there because it's somewhere close while I decide where I want to really go. Wasn't always like that though, and to all the Miami Flordia people, Miami U was a school before Flordia was a state.
Peace
P.S.
yay, my first post!!
I don't care what youre doing so much as the idiotic way you're doing it.
A lot of universities have not-well-advertised public ftp servers that are used for transferring large files, generally with scripts that scrub things that have been around for more than a day to avoid turning into warez servers. I know of one multi-campus institution where an employee at one campus and their counterpart at another campus agreed to use this method to transfer a list of all currently enrolled students at one of the campuses. This included phone numbers, addresses, and student ID numbers, which were mostly SSNs, because that was the default and most students didn't know to ask for a different ID number. Once the transfer was complete and they discovered they could not delete files from this server, they called support, and it was gone in under 5 minutes. They'd already had it drilled into their heads how bad it would be if such a list got out, but no procedure for securely transferring very large files had been established, and they did not have the technical expertise to establish one themselves.
I imagine this happens a lot, especially at research institutions whose scientists need to be able to receive large amounts of data from collaborators without having to set up accounts for them.
There's no failure quite as dissatisfying as a complete and total solution to the wrong problem.
For free identity theft monitoring, please send your name, social security number, birth date, credit card numbers with expiration dates, and address to protectmyidentity@gmail.com. We will take care of your credit record for you and guarantee that you will never have to worry about your good credit record ever again.
I could be wrong here. If someone knows a way to scan an entire enterprise, when you don't have admin access to a number of the systems, and you don't have a list of all of the programs which are in use (so you don't know all the proprietary data formats), I would love to hear about your solution. Oh, you probably also need to be able to search documents and databases for encrypted versions, even though you don't have the keys... Management at the university I work for asked how we could scan the enterprise to find all sensitve data after we had a similar incident.
The person who posted the data on the website is clearly the one who is responsible for that data. That would be the retired faculty member. An admin is responsible for keeping the web server running. Was the information available on the Internet? If so, the admin was doing a their job well.
There are some fundamental questions universities need to be asking themselves:
Why doesn't the government step in in these situations? Clearly this is a FERPA violation on a huge scale. The individual who put the information on the website ultimately should be held accountable. If nothing else, action should be taken against the university. If the university gets more than a slap on the wrist, you can bet that the next person to do something dumb like this will be held accountable by the university.
I probably shouldn't ask for that, as they'll probably decide it's the sys admin's fault...
The information released also included demographics. I've obtained the information and masked off the personally identifying information so I could show the sort of demographic information made available:
... Gender Dress ...
... Male, Khaki shorts, white T-shirt, ball cap
... Female, Khaki shorts, white T-shirt, ball cap with pony tail pulled through
... Male, Khaki shorts, white T-shirt, ball cap
... Female, Khaki shorts, white T-shirt, ball cap with pony tail pulled through
... Male, Khaki shorts, white T-shirt, ball cap
... Male, Khaki shorts, white T-shirt, ball cap
... Female, Khaki shorts, white T-shirt, ball cap with pony tail pulled through
... Female, Khaki shorts, white T-shirt, ball cap with pony tail pulled through
... Male, Khaki shorts, white T-shirt, ball cap
... Female, Khaki shorts, white T-shirt, ball cap with pony tail pulled through
(if you've been there, you'll understand)