Colleges leaking confidential data
Students compromised by Internet intrusions
Tanya Schevitz, Chronicle Staff Writer
Monday, April 5, 2004

©2004 San Francisco Chronicle | Feedback | FAQ

URL: sfgate.com/cgi-bin/article.cgi?file=/c/a/2004/04/05/MNGGP60LNV1.DTL

Colleges across the country, through computer security failure and human error, have exposed confidential information about hundreds of thousands of students and employees over the Internet, and experts say they expect the problems to continue.

In addition to being targeted by some very savvy hackers, college computer systems have been made vulnerable by the schools themselves through inadequately trained employees who have access to the files.

"It is not an arena where anything stands still,'' said security consultant Cedric Bennett, emeritus director of Information Security Services at Stanford University. "You might be doing great work (training people and securing your system); meanwhile, the laws are changing and the bad guys are getting more sophisticated."

Daniel Updegrove, vice president for information technology at the University of Texas at Austin, said advances such as around-the-clock access to administrative services and digital library resources have come with a down side.

"While popular and valuable, not all of these services have been rigorously tested for their ability to withstand intrusion from a sophisticated or persistent attacker," said Updegrove.

The problem has been highlighted in recent months by some high-profile breaches of computer-stored records including names, addresses, Social Security numbers and, in some cases, even credit cards, for applicants, students, alumni and staff.

-- San Diego State University reported in March that hackers broke into a server in the Office of Financial Aid and Scholarships, gaining access to names and Social Security numbers for more than 178,000 former and current students, applicants and employees.

-- The University of California notified 2,156 applicants a few weeks ago that an overloaded server may have allowed Social Security numbers, test scores and other personal details to be shared over the Internet with competing applicants.

-- Some 2,800 applicants of the California State University at Monterey Bay were informed in February that their names, addresses and Social Security numbers were made available on the Internet by an employee who moved the data to a computer folder that was not secure. The data was accessed more than 100 times from around the world before the error was discovered.

-- At the Georgia Institute of Technology, a hacker downloaded information that could have included names, addresses, phone numbers, e-mail addresses and credit card numbers for about 57,775 patrons from the campus arts center box office in March.

-- At the University of Texas at Austin, 55,200 names and Social Security numbers were downloaded by hackers in March after a similar incident in October.

-- At New York University, it was discovered in January that several mailing lists with names, birth dates, addresses, phone numbers, e-mail addresses and some Social Security numbers for at least 2,100 students, alumni and professors were inadvertently posted on a campus Web site, according to the campus newspaper, the Washington Square News.

SFSU students' information stolen
School alerts 3,000 affected by theft of faculty laptop
- Nanette Asimov, Chronicle Staff Writer
 Friday, June 23, 2006

San Francisco State University officials have put students and staff on alert because a thief broke into a faculty member's car earlier this month and stole a laptop with nearly 3,000 Social Security numbers and names of former and current students.

Students' phone numbers and grade-point averages were also on the stolen laptop "in some cases," according to an information sheet posted on the campus Web site.

"The university employee's car was burglarized and the laptop was stolen on Thursday, June 1," the Web site says.

But university officials did not learn of the theft until five days later, said Ellen Griffin, the university's spokeswoman, who declined to say what disciplinary actions, if any, had been taken against the faculty member.

"All we'll say is that we've taken appropriate actions," said Griffin. However, it is "very common" for faculty members to keep student information on their computers, she said.

Police told the university that they have made no progress in recovering the stolen information, and that they are treating the matter as a "typical break-in into a car," said Griffin, adding that police don't believe the thief knew in advance that the students' information was on the laptop.

San Francisco State University stopped using Social Security numbers for student identification last July 1, when a new state law took effect. By contrast, UC campuses individually stopped using Social Security numbers between four and eight years ago, a spokesman said.

In all, the Social Security numbers of 2,751 former San Francisco State students and 65 current students were stolen. The campus began notifying them on June 12.

"We suggest that you be on the alert for any misuse of your personal information," university registrar Suzanne Dmytrenko warned in a letter to all who were affected, as well as to 219 others whose partial Social Security numbers were on the laptop.

California law requires state agencies to disclose when personal information has been stolen.

School officials also notified the faculty of the theft and told them to be more careful.

"People don't necessarily think to go back and make sure the information on their computers is consistent with new guidelines," said Griffin. "So we have sent out an e-mail to all faculty reminding them of good practices and of the need to protect privacy."

The university has posted an information sheet at www.sfsu.edu/~admisrec/reg/idtheft.html.

E-mail Nanette Asimov at nasimov@sfchronicle.com.

Page B - 5
URL: http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/06/23/BAGQLJJ2LB1.DTL

Computer experts say that data erroneously posted on the Internet could have been copied or accessed before the problem was discovered, leaving individuals vulnerable for years.

"We live in an age now when anything that goes into a database has the potential to be compromised intentionally or unintentionally,'' said Chuck Haupt of Pleasanton, whose son was one of the applicants whose data was compromised at CSU Monterey Bay.

"My son's confidential information is out there,'' said Haupt, who works in the software industry. "People could wreck his credit history or cause identity theft ... Somebody can apply for a credit card with my son's data a year or two years from now, or maybe they will wait until these kids graduate and get jobs. Who knows how long we have to worry about this?"

According to the Federal Trade Commission, reports of identity theft increased 574 percent in three years, from 31,117 in 2000 to about 210,000 in 2003, with the majority of victims -- 28 percent -- between the ages of 18 and 29.

Although the problem of computer security is not limited to colleges and universities, academic institutions thrive in a culture of openness and the sharing of information, and some see the tightening of security procedures as a threat to that culture, said Bennett, the expert from Stanford.

"At a corporation where, for the most part, they want to keep the information inside the corporation, they put up big fences," Bennett said. "Universities, because they tend to be relatively open and invite inspection, tend not to put up fences. So it makes it even harder to manage the data which by law needs to be protected."

But the challenge may be human as well as technical. That was the case at CSU Monterey Bay.

"The good news is that the system itself is secure. It wasn't hacked into, " said Stephen Reed, associate vice president of CSU Monterey Bay. "The question is, do we in fact audit the training and retrain often enough? Probably the answer is no, and in this case, definitely not. We need to intercept those few employees who have access to sensitive data and train them quicker and train them better and retrain them more often."

Privacy experts and college administrators agree that the most sensitive piece of information exposed on campus networks is a student's Social Security number, and efforts are under way to protect that, at the very least.

State Sen. Debra Bowen, D-Redondo Beach (Los Angeles County), authored legislation that requires government agencies, including the state's colleges and universities, to stop using Social Security numbers on student ID cards and public postings as of January 2004.

"Social Security numbers were on ID cards, they were on library cards, they were used in the gym, in every activity on campus,'' Bowen said. "Grades were posted by Social Security number. Items with the Social Security number went to students in the mail. If they have their Social Security number plastered everywhere, they will be at risk."

Eliminating the use of Social Security numbers as an identifier is vital, because many campus systems remain porous, said Mark Durham, spokesman for Identity Theft 911, a San Francisco company that specializes in identity-theft defense and consumer education.

To guage the vulnerability of colleges and universities, employees from his company used a public search engine to scrutinize the education domain and found numerous documents posted by universities, often class lists put up by professors, with names and Social Security numbers.

"You couldn't really ask for more. Any identity thief would be pretty happy with what they had done," Durham said. They informed universities of the holes but then found that they could still find sensitive documents when they went back again later.

"You don't have to target or suspect that somebody has a lax system. You just have to do a search and whatever vulnerabilities they have will bubble up, " Durham said..

For more information on ID theft, visit the Federal Trade Commission Web site at www.consumer.gov/idtheft/.

E-mail Tanya Schevitz at tschevitz@sfchronicle.com.

©2004 San Francisco Chronicle
At SFSU
your student ID number is your social security number (until August 2004)
Q:  Will OneCard have my social security number printed on it?
A:  No, for security reasons only the last 6 digits appear on the card preceded by #601935
Q:  Will class enrollment sheets given to faculty have my name and full social security number printed on them?
A:  Yes, some sheets will have the full social security number right next to your full name

at CSU, Fullerton                        Welcome to Campus-Wide ID (CWID)

Welcome to the CWID web site. This site has been posted to provide members of the Cal State Fullerton community with information about the Campus-Wide ID project.

At the end of December 2003, the university will launch Phase 1 of a multi-stage implementation of new practices for the collection, maintenance and dissemination of Social Security Numbers (SSNs) in order to protect the privacy and legal rights of its students, faculty and staff. SSNs are highly confidential and legally protected data. As an alternate to the SSN, the university has created a unique ID number for each member of the campus community.

Over the upcoming holiday break, the campus will be converting the Student Information System (SIS+) into a Campus-Wide ID environment. This means that Social Security Numbers (SSNs) will no longer appear on most SIS+ screens; they will be replaced with a nine digit campus-wide ID. Only those persons authorized to access SSN will have permission to those SIS+ screens where SSN is available.

==============================================================
The Internal Revenue Service will disclose detailed tax information to anyone who provides a Social Security number of an individual taxpayer. Many banks and brokers do so as well.
==============================================================
WHY NOT USE THIS TECHNIQUE?
MIB Inc. (formerly Medical Information Bureau) is an example of an organization that stores millions of computerized records on individuals with no numerical identifiers at all. This is done by using an algorithm to digitize a person's full name and other identifying information (birth date, address, or occupation), in order to locate a match in the data base. Proprietary forms of this methodology include SOUNDEX, Alpha Search, and SearchSoftwareAmerica. A search for a file will provide the closest match, based on a comparison of the data elements. Thus, an error in one data element will still produce an accurate match. This is not always true when only one numerical identifier, like the Social Security number, is used for a search in a data base. Large organizations like Federal Express, National Insurance Crime Bureau, VISA, and Wausau Insurance use variations of this methodology, without the need for Social Security numbers.
================================================================
 
The University of Buffalo Person Number will be assigned to all students, employees, and associated individuals at the earliest point possible in the individual's contact and association with the University. The Person Number replaces the Social Security Number as a common, unique identifier and key to databases. The Person Number will be used in all future electronic and paper data systems to identify, track, and service individuals associate with the University.

U of North Carolina, Greensboro              [from  http://www.uncg.edu/cha/UNIVERSITY_COUNSEL/FAQ/SSN.html ]

"A student just refused to give me her social security number for identification purposes. Is she within her rights"

Yes, she probably is. In 1974 Congress enacted Public Law 93-759, "the federal Privacy Act of 1974", (codified as 5 U.S.C. § 552a) which placed severe limitations on the use which can be made of social security numbers by state and local governmental agencies. Specifically, the Act specified that no governmental agency could deny to any individual any right, benefit or privilege provided by law because of the individual's refusal to disclose his or her social security number.

"Are there any exceptions?"

Yes,if the disclosure requirement is imposed under a law or regulation which existed prior to the effective date of the Act, (1 January 1975) the requirement is legal. This would include motor vehicle (DMV) records and payroll records (for purposes of deducting social security benefits and for other tax deductions). Also exempted are disclosures required under federal law, e.g. for obtaining federal financial aid.

"But we use social security numbers as the student's identification number and on lots of other records on campus as well. Are we breaking the law?"

Not as long as we make it clear that disclosure is voluntary and that refusal to give the social security number will not result in denial of admission or other benefits. We are also required by the Act to tell the student what use we are going to make of the social security number. It would be a good idea to make a written record of that disclosure and have the student sign it. Incidentally, this procedure is also required by Administrative Memorandum Number 172, issued by President William Friday on August 23, 1982. A copy of that document is available on request from my office.

"What can we do if the student refuses to voluntarily disclose his or her social security number?"

We can generate a "dummy" number, i.e. a random number, to use instead of the social security number.

CALIFORNIA'S NEW SOCIAL SECURITY NUMBER CONFIDENTIALITY LAW

California's Social Security Number Confidentiality Law takes effect on July 1, 2002. Identity theft in America is on the rise, and this new law attempts to protect against it by limiting the use of social security numbers by private entities. Most employers use social security numbers for reporting and identification purposes, and this law may well impact the way you currently use social security numbers.

Effective July 1, 2002, "any entity or person," excluding state and local governmental agencies, is prohibited from:

The new law has two exceptions applicable to employers: