Slashdot Mirror
Cornell Computer Theft Puts 45,000 At Risk of Identity Theft
PL/SQL Guy writes "This afternoon, Cornell alerted over 45,000 current and former members of the University community that their confidential personal information — including name and social security number — had been leaked when a University-owned computer was stolen. A Cornell employee had access to this data for troubleshooting purposes, and the files storing the sensitive information were being stored on a computer that was not physically secure. The university is not disclosing details about the theft. This isn't the first breach for Cornell; last June, a computer at Cornell used for administrative purposes was hacked, and the University alerted 2,500 students and alumni that their personal information had potentially been stolen."
Is like trying to hold water in a sifter. It's only a matter of time before some doofus puts an .xls file with everybody's info into a web share and then says "hackers compromised the [publicly available] private student data". Not like I haven't had any experience with this....or anything.
At this point, social security numbers are so widely distributed that the only sensible thing to do is to publish them all in the phone book, so no one will be able to pretend they mean anything. If a scammer wants to use someone else's identity to defraud a bank, then the black market will sell them cheap and in bulk. The real problem is that creditors are allowed to issue debts without attempting to contact the person whose name they're using, and then try to collect those debts when the scammer runs off with the money.
Wow.. social security numbers.. on PERSONAL COMPUTERS!!!! Outrageous. What that data is doing on anything but computers locked behind doors in a data center is beyond comprehension.
Cornell has dropped out of the Ivy league and entered the bush league.
hosers.
It is extremely frustrating. I encrypt my personal data when it is under my control. It is unforgivable that an institution that I pay this much can't do the same.
how many times identity theft isn't reported, the high school I went to had a case reported that some kids had stolen the SS numbers from the schools network. I know because I was called in and questioned about it. I didn't do it, and I don't know if they ever found out, I don't think they did as no one was expelled. The IT Department was totally fucked though as a network with vulnerability like that was... well you get the idea.
I was on the network and saw some teachers files however, so I wonder if some other kids got further than I did. I knew not to let my, "young curiosity" go any further. College applications, let alone scholarships were at stake and fooling around the network like that was not worth not going to college.
My point being, this was reported, and the results were inconclusive, what if they questioned the person who actually got the SSN's, and he got away with it. I wonder if a few credit cards in my name will be opened up in Asia in a few years, or already.
WTF do you need the actual data for? You don't know that a SSN is 9 numbers and possibly 2 dashes? Why do you need actual data on a computer that can be stolen?
No comprende? Let me type that a little slower for you...
I'd like to see Andy Bernard's (class of '95) transcript.
0 = 1 + e^(Alt something)
Sue them for that amount, x45,000.
Then maybe they'll take this seriously.
This is the same IT department that recently switched over its management software to peoplesoft. A wonderful web app that randomly throws COBOL errors and refuses to function.
Suprise Suprise.
I personally think this person was probably pretty far up the food chain. There was no indication they were let go, and who else would think they were this far above the regulations regarding encryption of personal data.
Everything was encrypted, right?
Andy Bernard is going to be upset.
I have no idea why this is modded funny. The correct moderation for this is +1 "We feel your pain, please revoke the user's privs. Immediately"
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
I had considered Cornell for obtaining my Bachelor's - not any longer with this.
Even I have better security practices and I run windows machines without firewalls or AV software.
Over four years without infection! Common fucking sense FTW.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Identifying clients should be the creditor's problem, not mine. I have little control over my own SSN, but I am supposed to now buy ID theft insurance? Seems like Trans Union, TRW, Visa and the like should be able to figure something out.
You'd think, the university that created the Cornell Spider -- http://www2.cit.cornell.edu/security/tools/ -- Would be more diligent to push that out on all their machines. But I work in the *real* world and know all about theory and practice.
That kind of theft couldn't have happened back when I was a student at Cornell, in the mid-late 70s. First of all, there was only one computer used for most campus activities, a mainframe that lived in a data center out by the airport, so nobody could have stolen it :-) (There were some PDP-11s and such in a few engineering departments (though not CS - it was mostly the physics people and maybe a random department in the business or ag school), and the card readers that we used to talk to the mainframe really were DG Novas with 4KB of memory. But none of them would have had payroll or anything like that - that lived on the mainframe.)
But more importantly, we didn't use Social Security Numbers, except for payroll processing for employees. We used Student ID Numbers, which were a 6-digit number that wasn't particularly linked to anything. I don't remember if I had to give my SSN when applying, but probably not.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I just got the email about this yesterday. It's the third time a university I've been associated with has had a major data leak (UCLA, Stanford, Cornell). The upside is that I've had free credit monitoring for the past few years!
.sig withheld by request
So the moral of the story is if you are looking to educate yourself on security and common sense then Cornell is not where you want to go among other places. It always amazes me it seems to take a few hundred breaches before common sense sings in and simply things like encryption and basic security measures are used.
Maybe the solution to this is absolute liability for anyone who keeps personal information on anyone else.
http://security.cuinfo.cornell.edu/
I have no idea how far back the stolen data goes, but I was a student at Cornell in the mid-90's. I can assure you that Cornell does not have my current email address (my university address expired after I left), and they do not have my current mailing address, either - I never receive mailed solicitations for money.
On their FAQ page, they assure everyone that they contacted everyone who had their data stolen via email or USPS. I am not saying that I was necessarily one of the victims here, but I am sure that there are other people in the 45,000 for whom that is true.
- (c) 2018 Hank Zimmerman
Fedora has full disk encryption, any newbie can activate it.
What is wrong with these people?
I've been reading about similar stuff happening at other places but I didn't think it would occur at Cornell. They are generally pretty good about IT/Security stuff. In any case, the email they sent out links to this FAQ:
http://faq-june2009.cuinfo.cornell.edu
Turns out that it wasn't so much the universities fault as it was the fault of some idiot IT person. An excerpt from the FAQ :
5. Why was this information on a computer?
A member of the Cornell technical staff, who is responsible for supporting our central administrative systems, was using these files to correct transmission errors found in the processing of the files. The data was being used for troubleshooting. Cornell's information security policies and guidelines do not allow unencrypted confidential personal data to be stored on any computer device that is not in a physically secured location. This employee's actions, although unintentional, violated our policy and practices.
At least they are being nice and providing us with a service that will let us monitor our credit history. Great stuff... one more thing to worry about while trying to finish with my dissertation!
Cornell alum here. They actually disclosed this breach to us yesterday the 23rd. On the bright side, they'll be paying for 'credit monitoring and identity theft restoration services.' Whatever that means...
Let me understand...
There is a government site that returns your signature, photo, complete name, DNA, fingerprint, all passwords, a 3D model of you, your sex tapes, etc., in the case you've lost them... Just put your SSN and you get back your lost identity. Is this the problem with SSNs?
Maybe credit companies just accept that you are someone else just because you know his/her SSN and last name...
Everyone else that stores and shares your personal data are too inept to notice their blunders, or won't dare admit it unless they absolutely must. Its best to assume there is no such thing as secure information once you share it with others.
Isn't Cornell....supposed to be one of the biggest and brightest Universities to be out there...they cant afford a good admin with stronger group policies on the network?
I was one of the 45,000. And although I agree that CIT is one of the most incompetent IT staffs I have ever come into contact with, keep in mind that CIT's actions do not necessarily reflect the knowledge of the general student body. I know plenty of freshmen who know more about computers than the CIT staff. It's frustrating when you call the IT department and then YOU have to explain to THEM how to fix the problem you're having with your internet connection.
So for all of you bashing Cornell: going to Cornell won't mean that you learn less about computers and security because of the IT staff being dumb. Knowledge of IT staff does not equal quality of classes when the selection process for hiring those staff members is as bad as it is. On top of that, most of the people who should be IT staff don't want to be. And at any school you'll have problems with the administration or the staff being incompetent in some way, that's just how it works.
All computers with sensitive information should have partitions entirely encrypted with TrueCrypt. Then a stolen computer would yield no information.
TrueCrypt can encrypt even the OS partition.
From Cornell's weak excuses, June 2009 Data Theft - Frequently Asked Questions, a quote: "In June, 2009, a Cornell-owned computer that contained a large amount of administrative data was stolen. Our review of a current backup of the files on the system revealed that confidential personal data for about 45,000 current and former staff and students, and some dependents, had been present."
TrueCrypt is so fast that there is no noticeable change in speed of the computer.
I forgot to mention that TrueCrypt is completely free and open source. TrueCrypt has a history of being very reliable.
There are versions of TrueCrypt for Windows Vista/XP/2000, Mac OS X, and Linux.
No offense, but you seem to be bordering on TrueCrypt advertising or even fanboing when you triple post like that. Not that TrueCrypt isn't good, but unencrypted emails are still a present weak point, along with ignorant that send them.
Anything can be found funny, from a certain point of view.
"... you seem to be bordering on TrueCrypt advertising..."
I didn't mean to be "bordering on advertising". I meant to be extremely intensely advertising.
I don't have any connection with the people who make TrueCrypt. I am only a very, very happy user. I've been using TrueCrypt for more than 3 years, through many versions, with no problems.
TrueCrypt is an excellent resolution of a huge problem.