Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cornell Computer Theft Puts 45,000 At Risk of Identity Theft

Posted by timothy on from the into-the-gorges-with-the-thief dept.

PL/SQL Guy writes "This afternoon, Cornell alerted over 45,000 current and former members of the University community that their confidential personal information — including name and social security number — had been leaked when a University-owned computer was stolen. A Cornell employee had access to this data for troubleshooting purposes, and the files storing the sensitive information were being stored on a computer that was not physically secure. The university is not disclosing details about the theft. This isn't the first breach for Cornell; last June, a computer at Cornell used for administrative purposes was hacked, and the University alerted 2,500 students and alumni that their personal information had potentially been stolen."

11 of 91 comments (clear)

  1. Keeping User Data in a University.... by introspekt.i · · Score: 4, Insightful

    Is like trying to hold water in a sifter. It's only a matter of time before some doofus puts an .xls file with everybody's info into a web share and then says "hackers compromised the [publicly available] private student data". Not like I haven't had any experience with this....or anything.

    1. Re:Keeping User Data in a University.... by LaskoVortex · · Score: 5, Interesting

      I was once emailed word file with about 300 student's names, birthdates, social security numbers, and yes, user passwords for their university accounts. It was not encrypted and it was unsolicited--she needed help "opening" it. I promptly encrypted the file, deleted the original from my pop account, and then went to her computer and changed the name to have a ".doc" suffix. She was magically able to open it after that.

      These are the people we entrust with our sensitive information.

      --
      Just callin' it like I see it.
    2. Re:Keeping User Data in a University.... by tnk1 · · Score: 2, Insightful

      Hell, I once worked at a place where HR sent the spreadsheet that contained every employee and their salaries in it to ALLSTAFF, not once, but twice. At the time I was the mail administrator, and it was a gigantic pain in the ass. I really didn't even have time to write a script to do it, I had to login to the server, and use Pine to turn everyone's mail into just another folder that I could access and I manually went in and had to find and delete the mail from like 300 people's inboxes.

      Obviously, to this day, I'm nearly certain that a not insignificant fraction of the staff had actually downloaded it from the POP3 server before I could get to it, but I was too frenzied to actually get a count as I was tabbing around and deleting like a mad man.

      Of course, the major question is, between my experience and this one.... why the fuck do people compile these things, load them into attachments or laptops and then do the stupidest things imaginable with them? Why do you need a list of everyone's salary or 45,000 people's social security numbers??? For what conceivable purpose would you take that out of the office or email it in bulk somewhere?

      It just goes to show. No one cares about security until it's too late to care about it. If its not too late to care about it, they'll continue to ignore it, even after an incident until they have finally given away anything that could possibly be of value. At my business, I probably moved too fast to delete the file, so they had to screw up again to ensure their failure. At Cornell, losing 2500 accounts was too puny, so they needed to upgrade. Of course, given that there are like 17,000 undergrads at Cornell, they will probably need to screw up a few more times to make sure they have well and truly screwed over everyone who has attended there for the past decade or two.

      I'm not bitter.

    3. Re:Keeping User Data in a University.... by hairyfeet · · Score: 3, Interesting

      It isn't just universities. One Sunday I'm relaxing with a smoke after having to come into class to help those behind when I get a call "Where yo at?" I'm at class, just got done. Why? "You ain't gonna believe this shit. I'm about 10 blocks north of you. You got your truck?" yep, what else would I drive? "Good. Get over here NOW"

      So I get over there to where Chuck works at and the Teleco next door has put out a ton of 1.5-3Ghz boxes out on the curb. Being a nice Sunday and I don't mind a little exercise for some free parts I helped Chuck load them up, in return for picking a couple of the nicer ones for me of course. We get them to his place, unload them and I say "let's fire them up to see if any has an OS or if they have been stripped. Now not only do these boxes still have the nice little XP Pro OEM stickers on them, but the OS is STILL installed and they didn't bother deleting squat. Accounts, CC numbers, the whole nine yards was just sitting their unencrypted on the drives. Most didn't even need a username to log on. Lucky for them we just wanted the PCs and not the data or we could have had ourselves an ID theft field day.

      So it isn't just the schools. Over the years you'd be surprised how many "throw aways" I've ended up with that had major data on them. CC numbers, bank accounts, just stupid the amount of data they leave. I'm frankly shocked that MORE data theft hasn't occurred than what we have seen. I guess a lot of the guys are like me and just want a free PC and wipe the suckers.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    4. Re:Keeping User Data in a University.... by stephanruby · · Score: 2, Insightful

      Why do you need a list of everyone's salary or 45,000 people's social security numbers???

      Those lists become handy when you need to fire someone. You start with the highest salaried people, and then you slowly work yourself down the list until you recognize someone you dislike, or until you simply don't recognize a name.

  2. Social security numbers are worthless by Jimmy_B · · Score: 4, Interesting

    At this point, social security numbers are so widely distributed that the only sensible thing to do is to publish them all in the phone book, so no one will be able to pretend they mean anything. If a scammer wants to use someone else's identity to defraud a bank, then the black market will sell them cheap and in bulk. The real problem is that creditors are allowed to issue debts without attempting to contact the person whose name they're using, and then try to collect those debts when the scammer runs off with the money.

  3. I was one of the 45K by Anonymous Coward · · Score: 5, Insightful

    It is extremely frustrating. I encrypt my personal data when it is under my control. It is unforgivable that an institution that I pay this much can't do the same.

  4. I wonder by Anonymous Coward · · Score: 2, Interesting

    how many times identity theft isn't reported, the high school I went to had a case reported that some kids had stolen the SS numbers from the schools network. I know because I was called in and questioned about it. I didn't do it, and I don't know if they ever found out, I don't think they did as no one was expelled. The IT Department was totally fucked though as a network with vulnerability like that was... well you get the idea.

                  I was on the network and saw some teachers files however, so I wonder if some other kids got further than I did. I knew not to let my, "young curiosity" go any further. College applications, let alone scholarships were at stake and fooling around the network like that was not worth not going to college.

                    My point being, this was reported, and the results were inconclusive, what if they questioned the person who actually got the SSN's, and he got away with it. I wonder if a few credit cards in my name will be opened up in Asia in a few years, or already.

  5. CIT is completely incompetent by Anonymous Coward · · Score: 2, Insightful

    This is the same IT department that recently switched over its management software to peoplesoft. A wonderful web app that randomly throws COBOL errors and refuses to function.

    Suprise Suprise.

    I personally think this person was probably pretty far up the food chain. There was no indication they were let go, and who else would think they were this far above the regulations regarding encryption of personal data.

  6. Re:Cross Cornell off the list by phantomcircuit · · Score: 2, Funny

    That is how you're choosing schools? Don't worry I don't think Cornell was even an option.

  7. At least they admit it.... by Bob_Who · · Score: 2, Insightful

    Everyone else that stores and shares your personal data are too inept to notice their blunders, or won't dare admit it unless they absolutely must. Its best to assume there is no such thing as secure information once you share it with others.