Slashdot Mirror
Cornell Computer Theft Puts 45,000 At Risk of Identity Theft
PL/SQL Guy writes "This afternoon, Cornell alerted over 45,000 current and former members of the University community that their confidential personal information — including name and social security number — had been leaked when a University-owned computer was stolen. A Cornell employee had access to this data for troubleshooting purposes, and the files storing the sensitive information were being stored on a computer that was not physically secure. The university is not disclosing details about the theft. This isn't the first breach for Cornell; last June, a computer at Cornell used for administrative purposes was hacked, and the University alerted 2,500 students and alumni that their personal information had potentially been stolen."
Is like trying to hold water in a sifter. It's only a matter of time before some doofus puts an .xls file with everybody's info into a web share and then says "hackers compromised the [publicly available] private student data". Not like I haven't had any experience with this....or anything.
At this point, social security numbers are so widely distributed that the only sensible thing to do is to publish them all in the phone book, so no one will be able to pretend they mean anything. If a scammer wants to use someone else's identity to defraud a bank, then the black market will sell them cheap and in bulk. The real problem is that creditors are allowed to issue debts without attempting to contact the person whose name they're using, and then try to collect those debts when the scammer runs off with the money.
Wow.. social security numbers.. on PERSONAL COMPUTERS!!!! Outrageous. What that data is doing on anything but computers locked behind doors in a data center is beyond comprehension.
Cornell has dropped out of the Ivy league and entered the bush league.
hosers.
It is extremely frustrating. I encrypt my personal data when it is under my control. It is unforgivable that an institution that I pay this much can't do the same.
how many times identity theft isn't reported, the high school I went to had a case reported that some kids had stolen the SS numbers from the schools network. I know because I was called in and questioned about it. I didn't do it, and I don't know if they ever found out, I don't think they did as no one was expelled. The IT Department was totally fucked though as a network with vulnerability like that was... well you get the idea.
I was on the network and saw some teachers files however, so I wonder if some other kids got further than I did. I knew not to let my, "young curiosity" go any further. College applications, let alone scholarships were at stake and fooling around the network like that was not worth not going to college.
My point being, this was reported, and the results were inconclusive, what if they questioned the person who actually got the SSN's, and he got away with it. I wonder if a few credit cards in my name will be opened up in Asia in a few years, or already.
WTF do you need the actual data for? You don't know that a SSN is 9 numbers and possibly 2 dashes? Why do you need actual data on a computer that can be stolen?
No comprende? Let me type that a little slower for you...
Sue them for that amount, x45,000.
Then maybe they'll take this seriously.
This is the same IT department that recently switched over its management software to peoplesoft. A wonderful web app that randomly throws COBOL errors and refuses to function.
Suprise Suprise.
I personally think this person was probably pretty far up the food chain. There was no indication they were let go, and who else would think they were this far above the regulations regarding encryption of personal data.
I had considered Cornell for obtaining my Bachelor's - not any longer with this.
Even I have better security practices and I run windows machines without firewalls or AV software.
Over four years without infection! Common fucking sense FTW.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Identifying clients should be the creditor's problem, not mine. I have little control over my own SSN, but I am supposed to now buy ID theft insurance? Seems like Trans Union, TRW, Visa and the like should be able to figure something out.
You'd think, the university that created the Cornell Spider -- http://www2.cit.cornell.edu/security/tools/ -- Would be more diligent to push that out on all their machines. But I work in the *real* world and know all about theory and practice.
That kind of theft couldn't have happened back when I was a student at Cornell, in the mid-late 70s. First of all, there was only one computer used for most campus activities, a mainframe that lived in a data center out by the airport, so nobody could have stolen it :-) (There were some PDP-11s and such in a few engineering departments (though not CS - it was mostly the physics people and maybe a random department in the business or ag school), and the card readers that we used to talk to the mainframe really were DG Novas with 4KB of memory. But none of them would have had payroll or anything like that - that lived on the mainframe.)
But more importantly, we didn't use Social Security Numbers, except for payroll processing for employees. We used Student ID Numbers, which were a 6-digit number that wasn't particularly linked to anything. I don't remember if I had to give my SSN when applying, but probably not.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I just got the email about this yesterday. It's the third time a university I've been associated with has had a major data leak (UCLA, Stanford, Cornell). The upside is that I've had free credit monitoring for the past few years!
.sig withheld by request
So the moral of the story is if you are looking to educate yourself on security and common sense then Cornell is not where you want to go among other places. It always amazes me it seems to take a few hundred breaches before common sense sings in and simply things like encryption and basic security measures are used.
Maybe the solution to this is absolute liability for anyone who keeps personal information on anyone else.
I have no idea how far back the stolen data goes, but I was a student at Cornell in the mid-90's. I can assure you that Cornell does not have my current email address (my university address expired after I left), and they do not have my current mailing address, either - I never receive mailed solicitations for money.
On their FAQ page, they assure everyone that they contacted everyone who had their data stolen via email or USPS. I am not saying that I was necessarily one of the victims here, but I am sure that there are other people in the 45,000 for whom that is true.
- (c) 2018 Hank Zimmerman
Fedora has full disk encryption, any newbie can activate it.
What is wrong with these people?
I've been reading about similar stuff happening at other places but I didn't think it would occur at Cornell. They are generally pretty good about IT/Security stuff. In any case, the email they sent out links to this FAQ:
http://faq-june2009.cuinfo.cornell.edu
Turns out that it wasn't so much the universities fault as it was the fault of some idiot IT person. An excerpt from the FAQ :
5. Why was this information on a computer?
A member of the Cornell technical staff, who is responsible for supporting our central administrative systems, was using these files to correct transmission errors found in the processing of the files. The data was being used for troubleshooting. Cornell's information security policies and guidelines do not allow unencrypted confidential personal data to be stored on any computer device that is not in a physically secured location. This employee's actions, although unintentional, violated our policy and practices.
At least they are being nice and providing us with a service that will let us monitor our credit history. Great stuff... one more thing to worry about while trying to finish with my dissertation!
While we are being completely OT, I have a question about your sig - how is that supposed to work?
If I mod something up it is because I believe in what is being said in that post. If I did not personally believe what is being said (e.g. because I have counter arguments, my experience has been different etc.) I have absolutely no reason to mod someone up. The same is true vice versa for downmods.
I would appreciate help on how I should prevent my own beliefs/knowledge/opinions from interfering with my moderation. I just don't see how it is possible.
Let me understand...
There is a government site that returns your signature, photo, complete name, DNA, fingerprint, all passwords, a 3D model of you, your sex tapes, etc., in the case you've lost them... Just put your SSN and you get back your lost identity. Is this the problem with SSNs?
Maybe credit companies just accept that you are someone else just because you know his/her SSN and last name...
Everyone else that stores and shares your personal data are too inept to notice their blunders, or won't dare admit it unless they absolutely must. Its best to assume there is no such thing as secure information once you share it with others.
You're not supposed to moderate so much on the topic, as the amount of information and presentation of said info.
If they bring forward a point you don't agree with, but fully support it with evidence, logical arguments, etc, then you mod it up, or at least, don't mod it down.
If they just say "Lunix/Winblows/CrackOS sucks cuz my homie knows a guy who's friend got a virus on it!" well...then you troll mod into oblivion.
Comments of "I agree" don't add anything useful to the conversation, and only serve to fill up the database tables of /. servers, so these sometimes get downmodded.
Comments that state a point and try to back it up with random web links that don't even support their view, posted in the hope of readers thinking "He's got references. Must be right." without even reading said links, should also be modded down.
You're right, though, it can be difficult to properly mod, due to your own preconceptions interfering. But you've kind of got to put yourself outside the discussion, and see it from that point of view.
That's very likely why you can't comment and mod the same story. If you get involved in the conversation, the preconceptions become even more solid and difficult to put aside when moderating. That, and people (read: jerks) will mod down anybody who responds to their postings and disagrees with them....
Of course, if somebody puts forth a radically stupid idea, no matter how well supported with anecdotal evidence (I read about a guy who got trapped in a sinking car because he couldn't get his seatbelt undone, so nobody should have to wear seatbelts because they obviously kill people!) then you still have a right to mod down. Although there should be a "-1 Moron" mod for that....
"City hall" in German is "Rathaus" Kinda explains a few things......
The point of the moderation system is not to make sure that only "true" things get posted, or that we only see what we agree with. It is to help sift through the comments for anything which is a worthwhile contribution to the discussion. From the FAQ: "The moderation system is designed to sort the gems and the crap from the steady stream of information that flows through the pipe." When all the comments are in and the moderators have finished their work, you should be able to read the thread at +3 (or so) and see exactly those comments that are worth reading. This may include points of view which are apparently wrong, but are still well constructed and represent the thought of a significant portion of a population.
We are here to have engaging discussions. The moderation system is not about rewarding or penalizing writers, but helping readers. My rule of thumb is: if I'm glad I read it, I mod up. If it was a royal waste of my time, I mod down.
Isn't Cornell....supposed to be one of the biggest and brightest Universities to be out there...they cant afford a good admin with stronger group policies on the network?
Ok thanks, although I have read most of the FAQ I somehow missed that point. If that is the intention of the moderation system I will try to stick with it in the future. My only problem has been that it is very difficult to mod something "insightfull" if it is clear to me that the poster is obviously wrong - even if he supplies plenty of arguments. But if the moderation system is mostly about the, shall we say "form" of the post instead of the actual content I see the point.
Thanks for your reply. What I really needed was gnapsters introduction though "The point of the moderation system is not to make sure that only "true" things get posted," - that really helped get the point accross :)
Do take my advice with a grain of salt. The truth is that I have not been moderating for very long. But my understanding of the spirit of the thing has been that, at the end of the day, we want to see a discussion thread filled with interesting and enjoyable comments, and nothing else.
All computers with sensitive information should have partitions entirely encrypted with TrueCrypt. Then a stolen computer would yield no information.
TrueCrypt can encrypt even the OS partition.
From Cornell's weak excuses, June 2009 Data Theft - Frequently Asked Questions, a quote: "In June, 2009, a Cornell-owned computer that contained a large amount of administrative data was stolen. Our review of a current backup of the files on the system revealed that confidential personal data for about 45,000 current and former staff and students, and some dependents, had been present."
TrueCrypt is so fast that there is no noticeable change in speed of the computer.
I forgot to mention that TrueCrypt is completely free and open source. TrueCrypt has a history of being very reliable.
There are versions of TrueCrypt for Windows Vista/XP/2000, Mac OS X, and Linux.
No offense, but you seem to be bordering on TrueCrypt advertising or even fanboing when you triple post like that. Not that TrueCrypt isn't good, but unencrypted emails are still a present weak point, along with ignorant that send them.
Anything can be found funny, from a certain point of view.
"... you seem to be bordering on TrueCrypt advertising..."
I didn't mean to be "bordering on advertising". I meant to be extremely intensely advertising.
I don't have any connection with the people who make TrueCrypt. I am only a very, very happy user. I've been using TrueCrypt for more than 3 years, through many versions, with no problems.
TrueCrypt is an excellent resolution of a huge problem.