Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cornell Computer Theft Puts 45,000 At Risk of Identity Theft

Posted by timothy on from the into-the-gorges-with-the-thief dept.

PL/SQL Guy writes "This afternoon, Cornell alerted over 45,000 current and former members of the University community that their confidential personal information — including name and social security number — had been leaked when a University-owned computer was stolen. A Cornell employee had access to this data for troubleshooting purposes, and the files storing the sensitive information were being stored on a computer that was not physically secure. The university is not disclosing details about the theft. This isn't the first breach for Cornell; last June, a computer at Cornell used for administrative purposes was hacked, and the University alerted 2,500 students and alumni that their personal information had potentially been stolen."

7 of 91 comments (clear)

  1. Keeping User Data in a University.... by introspekt.i · · Score: 4, Insightful

    Is like trying to hold water in a sifter. It's only a matter of time before some doofus puts an .xls file with everybody's info into a web share and then says "hackers compromised the [publicly available] private student data". Not like I haven't had any experience with this....or anything.

    1. Re:Keeping User Data in a University.... by tnk1 · · Score: 2, Insightful

      Hell, I once worked at a place where HR sent the spreadsheet that contained every employee and their salaries in it to ALLSTAFF, not once, but twice. At the time I was the mail administrator, and it was a gigantic pain in the ass. I really didn't even have time to write a script to do it, I had to login to the server, and use Pine to turn everyone's mail into just another folder that I could access and I manually went in and had to find and delete the mail from like 300 people's inboxes.

      Obviously, to this day, I'm nearly certain that a not insignificant fraction of the staff had actually downloaded it from the POP3 server before I could get to it, but I was too frenzied to actually get a count as I was tabbing around and deleting like a mad man.

      Of course, the major question is, between my experience and this one.... why the fuck do people compile these things, load them into attachments or laptops and then do the stupidest things imaginable with them? Why do you need a list of everyone's salary or 45,000 people's social security numbers??? For what conceivable purpose would you take that out of the office or email it in bulk somewhere?

      It just goes to show. No one cares about security until it's too late to care about it. If its not too late to care about it, they'll continue to ignore it, even after an incident until they have finally given away anything that could possibly be of value. At my business, I probably moved too fast to delete the file, so they had to screw up again to ensure their failure. At Cornell, losing 2500 accounts was too puny, so they needed to upgrade. Of course, given that there are like 17,000 undergrads at Cornell, they will probably need to screw up a few more times to make sure they have well and truly screwed over everyone who has attended there for the past decade or two.

      I'm not bitter.

    2. Re:Keeping User Data in a University.... by stephanruby · · Score: 2, Insightful

      Why do you need a list of everyone's salary or 45,000 people's social security numbers???

      Those lists become handy when you need to fire someone. You start with the highest salaried people, and then you slowly work yourself down the list until you recognize someone you dislike, or until you simply don't recognize a name.

  2. Re:from Ivy League to Bush League by Anonymous Coward · · Score: 1, Insightful

    I assure you it is news to no one involved with Cornell that the IT department (CIT) is utterly incompetent. If anyone had any doubts, the recent rollout of PeopleSoft silenced them when they could not hand out financial aid for a semester because they could not get the system to work and course pre-enrollment (which a lot of people want to start right on time to get into popular classes) failed with random COBOL errors, was taken down, and reinstated a day or so later.

  3. I was one of the 45K by Anonymous Coward · · Score: 5, Insightful

    It is extremely frustrating. I encrypt my personal data when it is under my control. It is unforgivable that an institution that I pay this much can't do the same.

  4. CIT is completely incompetent by Anonymous Coward · · Score: 2, Insightful

    This is the same IT department that recently switched over its management software to peoplesoft. A wonderful web app that randomly throws COBOL errors and refuses to function.

    Suprise Suprise.

    I personally think this person was probably pretty far up the food chain. There was no indication they were let go, and who else would think they were this far above the regulations regarding encryption of personal data.

  5. At least they admit it.... by Bob_Who · · Score: 2, Insightful

    Everyone else that stores and shares your personal data are too inept to notice their blunders, or won't dare admit it unless they absolutely must. Its best to assume there is no such thing as secure information once you share it with others.