Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Privacy Data Storage Education Your Rights Online

Berkeley Grads' Identity Data Stolen 289

Posted by timothy from the practice-safe-applicating dept.
yali writes "Did you get a graduate degree from Berkeley? Or maybe you just applied but didn't go there? If so, your identity may have been stolen. A laptop was stolen containing names, social security numbers, birthdates, and addresses of grad students, alumni, and applicants. University police suspect that the thief just wanted the laptop, but the irony of California's mandatory notification law is that the thief may now know they have something even more valuable. Berkeley has set up a website with information on the breach."
This discussion has been archived. No new comments can be posted.

Berkeley Grads' Identity Data Stolen More

Berkeley Grads' Identity Data Stolen

Comments Filter:

  • Secret (Score:5, Insightful)

    by BWJones ( 18351 ) * on Tuesday March 29, 2005 @08:45AM (#12074942) Homepage Journal
    Personal data need to be treated as government certification of Secret documents, or at least give it Collateral classification level treatment. When personal data is checked out and allowed to be placed on laptops or other portable devices for removal from the central location where the data is stored, personal responsibility needs to be ensured and access should be confirmed by 1) need to know basis and 2) those who are trained to undergo training with confidential data.

    Granted, this will not prevent all leaks as even the State Department [computerworld.com], CIA and FBI [crimelynx.com] have had problems with missing laptops, but they are getting better about data confidentiality and security through training and implementation of protocols designed to limit leaks and unauthorized access.

    • Los Alamos (Score:4, Insightful)

      by goombah99 ( 560566 ) on Tuesday March 29, 2005 @10:49AM (#12075774)
      The problem is not just education. One has to create situations that engender proper handling of data. For example, if confidential data is only permitted on removable media and that media has to be a vault every night, signed in and signed out then its you have a situation where the person using the data and all of his or her collegues can tell by inspection if the person is not fulfilling their obligations. If its up to the person to always rememeber then eventually conveinence will override caution.

      Los alamos national lab, contrary to the implied conclusions of all its bad press and false accusations, has in fact shown that the removable disk method is an excellent means of both tracking secret data and minimizing copies of it.

      And even better approach is to make it even easier for people to maintain their data in secure forms without inhibiting their use of it. A good example of this is the macintosh laptop. Every macintosh laptop can transparently AES128 encrypt the users home directory and decrypt it upon log in. Of course you can set that up on a linux or Windows machine, but that's not the point. The point is it's already there on every mac ready to go by chekcing a box. It's not something that one has to spec. If you have to trasnfer the data to another machine you dont have to worry about setting this up. Co-workers know your machine has it. It departments can even enforce its use without penalizing the user. Ubiquity and ease of use is the key to getting encryption part of peoples work habits.

      I work in aplace where wireless internet connections are not allowed in the building. Yet when I go on travel I use it. Like everyone else I have to remember to turn off the wireless in the laptop before jacking into the building ethernet. So do you think people remember to do that. Well a lot of the time yes but many times no. but with a mac laptop its trivial to configure it so the wireless and ethernet adapters cant be on at the same time. it's impossible to forget. By the way my company spends money to pay people to walk the halls with wireless sniffers and has to discipline workers that forget. All of that is lost productivity as well as the security exposure.

      So in conclusion, any company that is concerned about data security that does not use macintoshes is wasting its money. Sure you can make a windows system secure but its the little daily things that keep it secure.


    • Personal data need to be treated as government certification of Secret documents

      First, I think you mean classification, not certification.

      Second, there is a reason and a definition behind each classification. For example, the definition of SECRET according to the Defense Security Service (available here [dss.mil] (scroll down)) is as follows:

      SECRET. The designation that shall be applied only to information or material the unauthorized disclosure of which reasonably could be expected to cause serious dam

    • Re:Secret (Score:3, Insightful)

      by hackstraw ( 262471 ) *
      Personal data need to be treated as government certification of Secret documents, or at least give it Collateral classification level treatment. When personal data is checked out and allowed to be placed on laptops or other portable devices for removal from the central location where the data is stored, personal responsibility needs to be ensured and access should be confirmed by 1) need to know basis and 2) those who are trained to undergo training with confidential data.

      That sounds fine and good, and wh

      • Re:Secret (Score:4, Insightful)

        by stinerman ( 812158 ) on Tuesday March 29, 2005 @01:28PM (#12077471)
        You raise good points, but what must happen is that people need to be more careful with their personal information. Most people gladly give away their phone number to Radio Shack, Best Buy, etc. at the drop of a hat. I'll bet you ~50% of people would give their SSN to any brick and mortar retailer (but not those hackers on the internets) if asked to do so. Most of them don't know that they can refuse to give out any of their personal information (of course, the cost may be not being able to do business with that store), but probably would so they wouldn't be put-out by having to go to another store.

        Convenience trumps all with security being a close second and privacy a distant third.
    • Personal data need to be treated as government certification of Secret documents, or at least give it Collateral classification level treatment.

      You're kidding, right? Then practically every employee in the student services and financial aid offices would need a US Government security clearance, and none of the computers there could be connected to the internet.

  • Why do they need the SSNs? (Score:5, Insightful)

    by lecithin ( 745575 ) on Tuesday March 29, 2005 @08:46AM (#12074950)
    This is a pet peeve and it is just getting worse.

    Why does a school need our SSNs? Why does anybody outside the government?

    Here in Minnesota, I need to provide my SSN now just for fishing and hunting licenses. WTF?

    • Re:Why do they need the SSNs? (Score:5, Insightful)

      by DarkTempes ( 822722 ) on Tuesday March 29, 2005 @08:51AM (#12074972)
      they use it as a personal identification number (which it isn't supposed to be used as but since everyone has a unique one it makes it easy for them to do it).

      they don't NEED to but they CAN and so they do.
      • But SSN's don't make very good personal ID #'s. They're not unique forever, because the government recycles them after a few years. I'm assuming the Berkeley has a fair number of foreign students, they probably have to generate some sort of artificial ID number for them... why can't they just generate an artificial ID number for all their students?

        To answer my own question... they could, and quite easily. The difficulty lies in transitioning all your data systems from one ID number to the other.

        • They're not unique forever, because the government recycles them after a few years.

          Insightful? This is patently false. There are some instances of multiple people having the same SSN, but these were accidental, and not intentional, and the government will issue a new SSN for people who are in this situation.

          why can't they just generate an artificial ID number for all their students?

          Read my reply to the parent. The school definitely needs your SSN. It probably shouldn't be used as a primary key, s

        • Re:Why do they need the SSNs? (Score:5, Informative)

          by forand ( 530402 ) on Tuesday March 29, 2005 @09:26AM (#12075177) Homepage
          Berkeley does NOT use your SSN for your student number. It does, however need your SSN to provide you with federal financial aid and work. Since virtually EVERY grad student falls into one of these catagories they need the SSN.
        • http://www.ssa.gov/history/hfaq.html

          Q20: Are Social Security numbers reused after a person dies?

          A: No. We do not reassign a Social Security number (SSN) after the number holder's death. Even though we have issued over 415 million SSNs so far, and we assign about 5 and one-half million new numbers a year, the current numbering system will provide us with enough new numbers for several generations into the future with no changes in the numbering system.

        • the government does NOT recycle them! There are only around a billion possible #'s though, so at some point they will have to be recycled. (SSN's are assigned randomly or sequentially, some of the digits mean something.) How SSN's work [howstuffworks.com]

    • Re:Why do they need the SSNs? (Score:5, Interesting)

      by G-funk ( 22712 ) <josh@gfunk007.com> on Tuesday March 29, 2005 @08:53AM (#12074974) Homepage Journal
      Because your SSN (like our TFN, or Tax File Number) is your nation ID number. Wether you like it or not, wether it's legal or not, it's still a fact. You guys have it worse than us, we seem to have the TFN for all "official" docs like government, financial institutions etc, and we have our license no for everything else, such as video cards etc. But we're still in databases all over the world, easily indexed by a small number of different "unique enough" keys.

      • Re:Why do they need the SSNs? (Score:4, Funny)

        by ikkonoishi ( 674762 ) on Tuesday March 29, 2005 @09:15AM (#12075103) Journal
        #12074974, I am shocked by your assertation that my actions are being tracked by an ID number of some kind. All places should put the effort to protect our identities that Slashdot does.

        Sincerly
        #12072440
        • Oddly enough, for certain college courses, students no longer put down their name, but just use their matriculation number.

          And for various research journals, you will never know the name of the persons reviewing your paper, but only an identifier such as "IXL04356". But as you are now able to reply to the reviewers comments, the log of the discussion will appear to be something out of an Asimov short story.
        • I am not a number, I am a free man !

          Sincerely, #171not-6not-6.
      • If by video card you mean a card for renting movies and by "you guys" you mean US citizens, then I would say that we our pretty similar to you. Video stores generally take a driver's license number or credit card to keep on file, they don't require a social security number and I don't believe I've even been asked to provide one optionally.

        Generally, social security numbers are used for things relating to schools, banking/investing/fincial activities, and government documents like tax returns.

      • This guy is right "like it or not"

        I am not from the US, but I was sent there for a few months to work. My wife came too for the holiday.

        Some random notes about life without an SSN...

        • I decided to open a US bank account. Got a check book ok. Got a debit card. Then the fun starts - the bank calls back after two weeks to cancel the debit card. No SSN. The checks are 'starters' even though they start at 1000 (to fool those pesky shop clerks on the look out for checks that start at 1). Everyone refuses to h
    • I bet you don't NEED to.. just tell them you don't have one... they can't make you give them something you don't have... that's what I do.. I've never had a problem.
      • agreed, one of my college roomates didn't have a SSN. Her dad paid the 20K tuition in friggin cash every year ;-) Even to the point of mailing her cash wrapped in tinfoil!

        His 'profession' was 'auto parts reseller' - he drove around to mechanics selling them 'discount' parts. Um yeah right ;-)

        Dunno what he was hiding, but it wasn't pretty I'm sure!


    • Think of how many institutions we deal with require our SSN. With Social Security supposedly going defunct in 2041 (from the headlines) do you suppose all of these organizations are going to be so forward thinking as to choose a new "key" for each of us by then? How much is it going to suck for kids in the future to be issued a Social Security Number when it's used for pretty much everything under the sun EXCEPT for obtaining Social Security benefits.
      • Exactly why my kids will not be getting SSNs!

        • get them SSN's (Score:2, Insightful)

          by Anonymous Coward
          They will need one eventually.

          Without an SSN you can't get financial aid. I was born on a commune near the Canadian border and didn't have either a birth certificate or SSN for many, many years.

          Eventually I got the opportunity to go to Moscow. It took me almost 2 years to get a passport. Needless to say I missed the trip.

          I then applied to college and got accepted. Since we are dirt poor I applied for financial aid. They promptly said, sorry you are not enlisted with the selective service. I said no shit.
        • ahh.. you must be comfortably wealthy-- or, more likely, childless and blowing smoke.

          SSN's are required to get the tax deduction for your children

    • Re:Why do they need the SSNs? (Score:5, Funny)

      by flyingsquid ( 813711 ) on Tuesday March 29, 2005 @09:04AM (#12075037)
      Why does a school need our SSNs? Why does anybody outside the government? Here in Minnesota, I need to provide my SSN now just for fishing and hunting licenses. WTF?

      Next time you apply for a license, just tell them you are John Kruptowski, 537 Cherrywood Circle, Minneapolis, Minnesota, 575-63-6216, currently applying to UC Berkeley's astrophysics program.

      If you don't like that name, I got a zillion more.

    • Why does a school need our SSNs?

      They definitely need it so they can file a 1098-T at the end of the year. They probably also need it so they can do a credit check on you, both to determine if they're going to admit you, as well as to determine whether or not you qualify for whatever tuition plans they offer (unless you're prepaying in cash, the school is giving you a loan). If you're a transfer student, they need it so they can verify your transcript, this could perhaps be done in another way, using yo

      • OK, agreed, tax & SS-related forms are legitimate.

        Now: what abou the whole "credit check" thing? Let's ask a more fundamental question--why is the SSN required for this sort of thing at all? Or for transcript verification?

        Simple answer: It's a unique identifier, you said it. Funny thing that, doesn't the Social Security Act specify that the SSN is not meant to be used as identification except for Social Security purposes?

        You hit the nail on the head with the word "easy". It's easy. "Easy" is n
    • My school has switched from using Social Security Numbers to our unique numbering system. I can use this number in everywhere where I used to use my SSN when logging into secure sites, signing up for university classes, etc... Even my state of Virginia changed over from SSN's on the license to "Customer Numbers" which mean nothing to anyone who doesn't need to know my ID.

    • Why does a school need our SSNs?

      Many grad students are employed by the school. This is something they'd collect not on application but on the student showing up to work.

      For undergrad financial aid, there's the requirement that male students be checked to be sure they're registered with Selective Service. Some schools use this as an excuse to collect SSN, but I think it's a lame excuse because when I registered at least (many years ago you can tell!) I didn't even have a SSN.

    • Ask the university department responsible for fund raising. They will tell you that the easiest way to track alumni in the USA is with SSN. If you have someone's SSN, it is easy to find their up-to-date address -- critical for fund raising. There are businesses which will provide you with up-to-date addresses, if you give them SSNs. My university does not collect all student SSN so it is severly handicapped in fund raising.

  • No! (Score:2, Funny)

    by TheSpeedoBeast ( 863070 )
    Oh, HELL no, I just applied there!
    • That's okay. Don't worry. I can now sell you a genuine degree. Wink wink, nudge nudge.

      The price is cheap and lets you get into the job market that much quicker: $5,000.00 in Doritos and Mountain Dew [tt]

      Mind you, it's ALWAYS been possible to game the system to get universities to issue degrees. Records are lost, etc. It used to be that you had to go in with fake paperwork a couple of decades later, be really insistent, and walk out with your sheepskin. Nowadays, it's SO much more convenient, thanks to the

  • It's easy to encrypt in Windows (Score:5, Informative)

    by caluml ( 551744 ) <slashdot@spamgoe ... minus herbivore> on Tuesday March 29, 2005 @08:49AM (#12074958) Homepage
    Windows, love it or hate it, makes it very easy to secure your data on a laptop. Just right click, and buried somewhere in there (Advanced options or something) tick the Encrypted option.
    Better still, just create a directory (C:\Encrypted), and encrypt the folder, and all subdirectories.
    Of course, there are issues with losing the encryption key, but as it's a laptop, and probably only has the one harddrive, I would expect the person to be keeping a backup somewhere else.
    • "Windows, love it or hate it, makes it very easy to secure your data on a laptop. Just right click, and buried somewhere in there (Advanced options or something) tick the Encrypted option."

      I'd bet your paycheck that the password to login is on a post-it stuck to the laptop's keyboard!

      "Of course, there are issues with losing the encryption key, but as it's a laptop, and probably only has the one harddrive, I would expect the person to be keeping a backup somewhere else."

      HAHAHAHAA! A Windows user? I
    • With Win2k, maybe XP too, you need to download a special pack to get the 3des cipher if your copy is from outside the US. IIRC, this isn't even the default cipher. Plain DES is! (which is very insecure ;))

      Screw encrypting stuff with 3des =/ Laptop power is precious enough as it is.
      • I assume that the person that stole the laptop wasn't targetting it - they just had a quick browse (maybe it auto-logged in a la XP), and went "Wahey, a nice spreadsheet full of gumpf - maybe I can sell this." I'm sure single DES would have stopped them.

    • Windows, love it or hate it, makes it very easy to secure your data on a laptop

      I am not sure Windows has anything to do with it as any OS supports crypto, the question is why did an application designed to hold social security numbers on a insecure PC not encrypt the data store?

      Users will not do anything they do not have to. An encrypting/decrypting files leave copies of data un-encrypted on the disk. So blaming the user is not it either.

      I would blame whomever aquired and authorized the use of the

      • idiots (Score:5, Interesting)

        by Mr. Underbridge ( 666784 ) on Tuesday March 29, 2005 @09:28AM (#12075201)
        I am not sure Windows has anything to do with it as any OS supports crypto, the question is why did an application designed to hold social security numbers on a insecure PC not encrypt the data store?

        Something tells me the whole thing was on Excel.

        There is absolutely no reason to have anything like this on a laptop. If there is some reason one would need the information from a laptop, you can access it from a server using a client that won't make a local copy. Ridiculous.

    • Re:It's easy to encrypt in Windows (Score:4, Informative)

      by Wingsy ( 761354 ) on Tuesday March 29, 2005 @09:27AM (#12075195)
      Just as easy if not easier in OSX. Created an encrypted disk image (AES 128 bit) where the files are to be kept and do not put the pw in the Keychain. I'd trust encryption on a Mac a zillion times more than on Windows.
      • Or you could just encrypt your entire home directory with File Vault. I'm doing this in Panther on my iBook with no problems. Of course, you can still make an image thats encrypted with AES128 inside of your home directory thats been encrypted.
    • Macs used to have that feature in OS9 and possibly OS8, but it's gone in OSX. Weird. You could ctrl-click on any document and get an option to encrypt it.

  • Wow... (Score:5, Funny)

    by InterruptDescriptorT ( 531083 ) on Tuesday March 29, 2005 @08:50AM (#12074961) Homepage
    Talk about your OpenBSD (Berkeley Social Data)...

  • Privacy (Score:5, Insightful)

    by Tom ( 822 ) on Tuesday March 29, 2005 @08:54AM (#12074985) Homepage Journal
    Let's hope the sheer amount of identify theft problems will spearhead a push for more privacy protection.
    I don't just mean everyone gathering less personal information, I also mean making sure that what they do gather is adequately protected. You have a resonsibility to your clients, customers, whatever.
    • You may want to use the EU Personal Data Directive (95/46/EC) [cdt.org] as a starting point. But even the Directive has its weaknesses...

      • Re:Privacy (Score:2)

        by Tom ( 822 )
        The problem here being that

        a) the US (where most of these problems happen) is not a member of the EU
        b) the US has put immense pressure and bought/bribed some politicians in the EU to bypass the EU directive, even where it would apply to US businesses (i.e. transfer of data from EU to the US).
        I say bribed because the affair (about a year ago) was quite similar to what's happening with the software patents right now - only insanity or bribery can explain the behaviour of some key persons.
        If I recall correctl
    • The problem isn't securing the information better, the problem is the information is your enemy. Security is an oxymoron in this case, no matter how well you lock down the systems there's nothing keeping someone inside from stealing information.

      It's like everyone has their own poison being stored by someone else. The problem isn't who's storing your identity, the problem is your identity is a vulnerability!

      Until a non-vulnerable identity is made, organizations should respect people's privacy even if it

    • I will personally champion the cause of retinal scans as the only valid form of identification, as shown in the book/film, Minority Report. Sure, that will mean having a national database of retina biometrics, but this will be impossible to fake as long as the scanners are powered by a serious, closed-source platform like Longhorn, and equipped with bombs so that the Orrin Hatch can blow up offending units.

      In other news, as of 8:00 am this morning, I have filed my application with Berkeley's optomology pro

  • The real problem: unchangeable passwords (Score:5, Interesting)

    by pocari ( 32456 ) on Tuesday March 29, 2005 @08:55AM (#12074990)
    The real problem is that banks, credit bureaus, and schools are allowed to continue to pretend that knowing someone's SSN and birthdate is proof of anything.

    It seems like this could be solved with a public database of SSNs and birthdays. Once you list yourself, you can tell credit bureaus and banks that this information has been widely published, and therefore anybody who acts like it's a secret is negligent. Civil disobedience for the information age.

    I am too chicken to go first, though.

    • The real problem is that banks, credit bureaus, and schools are allowed to continue to pretend that knowing someone's SSN and birthdate is proof of anything.

      Schools maybe, but what bank or credit bureau does such a thing?

      It seems like this could be solved with a public database of SSNs and birthdays. Once you list yourself, you can tell credit bureaus and banks that this information has been widely published, and therefore anybody who acts like it's a secret is negligent.

      I am too chicken to go first

      • As an individual act, it is foolish. Which is why I am chicken. You cannot boycott the bus system by yourself and expect change. But if enough people did it, businesses would be forced to figure out something else. You can't put a note on everybody's credit report and expect the system to run smoothly.
        • I have been "bucking" the system for years... the only people who have my SSN are my bank, my employer, the IRS, and my college (due to some horrible mixup that occurred when my parents gave them my number back in my youth.. however I got the school to generate a number for general use.. but they refused to remove my SS from the database)..

          But.... I've happily gone around not giving out my SSN.... Given Blood, etc, etc... just say "sorry, I don't have one".

        • But you're assuming it's a bad thing in the first place. If someone wants to give someone a loan without first checking that they actually are who they say they are, why should I care just because they say they're me? Sure, up to a year later I'll notice a false statement on my credit report, and I'll have to make a phone call or 2 to get it removed, but ultimately the person who really gets screwed over is the person who made the loan in the first place.

          There's enough disincentive against banks in just

    • I agree. Although I think the real problem here is the idiot policy or person that allowed a large amount sensative data like this to be stored on a laptop

      That is just begging for a class action lawsuit.

  • Biometrics (Score:5, Interesting)

    by failure-man ( 870605 ) <failureman@gmFREEBSDail.com minus bsd> on Tuesday March 29, 2005 @08:57AM (#12075002)
    With all this personal data getting stolen (and the tinfoil crowd will hate this) the only way to avoid a complete infoclypse may be to actually appear somewhere in person and have your identity biometrically certified when you apply for credit.

    These leaks aren't gonna go away, so we'd better start finding ways to make them irrelevant. Sure, it'd be inconvenient and raise privacy concerns, but I'd rather have my prints on file than have my bank accounts cleaned out and credit ruined with little, if any recourse, solely due to someone else's blunder.
    • Riiiiiiiiiiight. Until someone decides, just for a cheap thrill, to mess around with the databases matching people to their biometric data. (Among the many things that can easily happen to fuck everything up.) Then the fun really begins!
    • I have to agree. Instead of trying to protect information like our SSNs (which will never happen) we should instead make it more difficult to apply for these credit/life ruining things, like credit cards, loans, whatever. I have a little trashcan on the inside of my front door that all of the credit card applications, mortgage applications, and anything else that is more than a 'To the Resident At...' letter. Those get shredded, then incinerated.

      How honest do you think all of the waiters/waitresses are in

  • Great (Score:2, Interesting)

    by baadger ( 764884 )
    [/blockquote][I]...but the irony of California's mandatory notification law is that the thief may now know they have something even more valuable[/I][/blockquote] And in another twist of fate the theif is a hardcore slashdotter.

  • Wow... (Score:2, Funny)

    by jpiggot ( 800494 )
    ..and the irony of the theft...is that pot dealers are anixously bidding for the laptop on Ebay, for a chance to sell weed to more than enough smokers needed to put that down payment on that cool 50ft motoryacht they've been wanting.

    I kid because I love. What other university lets you major in "crispy" ?

  • Identity information is only useful to people who know how to perpetrate identity theft. If this crook knew how to do this the chances are he'd already have looked. And he has to realise that it is the laptop he stole.

    It's a problem if he knows this and knows someone who knows what to do with the data, but at least with disclosure the victims know they are at risk.

  • No, my identity may have been copied, but my identity certainly wasn't stolen.

  • Can you say "Irony" (Score:5, Interesting)

    by tomhudson ( 43916 ) <barbara.hudson@b ... m ['son' in gap]> on Tuesday March 29, 2005 @09:08AM (#12075060) Journal
    SISS, UC Berkeley - Social Security, Driver's Licenses, and California ID Cards [berkeley.edu]
    Social Security Number Safety

    Although a SSN is only meant to be used for tax and government purposes, it is often used by financial institutions, businesses, and others as a unique identification number. Because the SSN is a unique ID, it is often the target of "identity theft". Therefore you should be very careful about where and to whom you give your SSN.

    • Never carry your Social Security card or number with you. Keep it at home in a secure place.
    • Only give your SSN to someone who has a specific and legitimate need for it.
    • Be very careful with any forms, applications or other materials that may have your SSN on it.
    • Never give your SSN to someone who phones you. You should initiate the call or meet in person.
    • Never reply to email or web sites that request an SSN.
    Gee, too bad they don't follow their own advice to "be careful". Guess they haven't quite gotten the hang of that "intarweb thingee" yet.

  • Why does the notifcation have to be public? (Score:4, Interesting)

    by vrimj ( 750402 ) on Tuesday March 29, 2005 @09:08AM (#12075063)
    Unless they have no idea what specific data was involved why not just send these people a letter?

    As I read the law personal notifcation is not only allowed it is prefered. The complants about "now the theves know they have something valuable" seems like it is more a result of the choice to hold a press conferance and save the cost of a lot of stamps.

  • At Least It's Not Arrogance (Score:5, Interesting)

    by mirio ( 225059 ) on Tuesday March 29, 2005 @09:13AM (#12075086)
    Well, during my undergrad years at an unnamed university...oh what the hell...The University of West Georgia [westga.edu], I worked in the ITS department on campus which was responsible for all the applications in our internal system called Banner (a big freaking waste of money for an Oracle Forms application..but that's another discussion for another day).

    Anyway, my role was to prepare reports for various people around campus. For example, if a student organization required a given GPA for membership, their faculty advisor could request a report of all students meeting the criteria.

    The thing that most amazed me when I started working there was the complete lack of respect for people's social security numbers and birthdays. Any professor on campus could get pretty much any information he or she wanted.

    Even more brazen than this activity was the infrastructure on campus. Every user ran their applications over a telnet session. Yes....telnet. I demonstrated to my boss how easy it was to run a packet sniffer and catch social security numbers as they went across the wire..but all my concerns fell on deaf ears. I also showed them how SSH could be used as a direct replacement for telnet but again...no one seemed care.

    I then wrote a letter to the editor of the University's only newspaper describing the lack of respect for peoples' personal information, but the letter was never published. When I e-mailed the student editor and asked why my letter wasn't published, she said she was asked by the administration not to run it.

    I graduated in 99 so I'm not sure if any changes have been made. I would love to know.
    • I'm a undergrad student now. Currently not declared.

      Anyways, who should I go talk to? I also know a CS gradstudent here.

      I could give my liberal hippy friends soemthing to protest about on campus.
    • When I was a teaching assistant at the University of Georgia, we were given the SS# of every student in our class. I never once used them, and I would've strongly preferred not to have them at all. Also, we were never given anything saying, "Hey, this information is confidential and should be treated with care." (I know that's obvious to you and I, but it's not obvious to everyone.)

      The only reason I could see for us having SS# was that without them we were relying on names to be unique within a given cla
      • Dear Goddess, that school uses Banner and doesn't even bother to use its own ID system? o.o; My school uses Banner, too (although I can't comment on the quality of the system - I'm on the student side, not the faculty/administration side), but they assign us specific Banner IDs that we use everywhere instead of SSNs or whatnot.

  • Too much (Score:2, Interesting)

    by QuietLagoon ( 813062 )
    Why was that amount of personal data allowed to be on a laptop in the first place?

    • Re:Too much (Score:4, Insightful)

      by tuxette ( 731067 ) * <(tuxette) (at) (gmail.com)> on Tuesday March 29, 2005 @09:20AM (#12075124) Homepage Journal
      I was about to ask the same thing.

      What a lot of "security officers" seem to neglect is that an important part of security is to make what one would want to steal physically difficult, even impossible, to do so. This would perhaps work as a last resort against other stupidities such as forgetting to encrypt or letting non-authorized persons in a restricted zone.

      Incidentally, a laptop doesn't even need to be stolen. Call any train station or airline and ask them how many laptops are forgotten each day. Each week. Each month.

      Nobody raises an eyebrow when they see someone carrying a laptop on a university campus. Someone trying to haul a big machine would draw more attention.

  • Why all on a latop? (Score:5, Insightful)

    by WebHostingGuy ( 825421 ) on Tuesday March 29, 2005 @09:14AM (#12075093) Homepage Journal
    Why was all of this on a laptop?

    Sensitive information should be placed in a central repository and then encrypted and guarded. The mere fact that someone can download this to a laptop shows that their mindset is that this information is just normal stuff like a word document. Before you can have true security organizations need to get this first.

  • California Universities (Score:4, Interesting)

    by That's Unpossible! ( 722232 ) * on Tuesday March 29, 2005 @09:46AM (#12075330)
    Is it just me, or is this like the third story of personal information being stolen from California universities recently? WTF is going on over there?

    As an aside, my girlfriend lives in California, and someone opened a credit card in her name soon after she had sent in applications to several California universities applying for grad school.
      • Is it just me, or is this like the third story of personal information being stolen from California universities recently? WTF is going on over there?

      Nope, it's not just you. The same thing is going on everywhere else. It's just that in California they have a law [ca.gov] that requires disclosure when data gets out. (article describing law [securityfocus.com])

      The reason you keep hearing about data leaking from Californian universities is because they actually follow the law, unlike some federal agencies [slashdot.org].

    • I work at a CA university, so I know the answer.

      The answer is that CA passed a law a year ago that mandated notification of personal data theft (there's a list of data elements that trigger this) either directly to the individuals or publicly if that is not possible.

      What you're seeing in CA is the first semi-proper accounting of how much data theft is taking place. The reason you don't see it in other states is that they don't have such laws, so it's not being disclosed. It most certainly IS still happeni

  • That's ok. (Score:4, Funny)

    by RandoX ( 828285 ) on Tuesday March 29, 2005 @09:56AM (#12075401)
    I don't use my own identity anymore anyway.

  • Is it really irony? (Score:3, Insightful)

    by Sigma 7 ( 266129 ) on Tuesday March 29, 2005 @10:00AM (#12075428)
    but the irony of California's mandatory notification law is that the thief may now know they have something even more valuable.


    Unless there is going to be an unconditional format of the hard drive in question, either the thief or the fence (i.e. buyer) would have discovered the data eventually. Given that it's most likely an MS Access database, it shouldn't be too much of a problem extracting those numbers from the file.

    In the event that difficulties are encountered, it's not too hard to find someone on the black market who will crack the information (e.g. brute forcing login passwords to gain access to whatever that follows.)

    Any irony obtained by the law will only accelerate what would have occurred normally.
  • When I was in college, to enter the dorms and other "sensitive" areas, you had to swipe your school ID. To purchase food on your meal plan, you had to swipe your ID. You could put money into a debit account to buy things on campus and select off campus stores (like the local gas station), and swipe your ID to use it. The ID sent unencrypted the student's SSN. Anyone with a POS card reader and access to a student ID could retrieve the SSN, and legal name (printed on the front of the ID).

    If you lost your ID, it was a simple matter to go down to Student Accounts and get a new one for $10. But since the SSN is used as an ID, the old ID card couldn't be deactivated and the missing one could be used by whoever found it.

    Thankfully, last year they switched from using SSN to a 12 digit ID number generated by the college. However, "lost" cards are still usable

  • Lawsuits? (Score:5, Interesting)

    by Quixote ( 154172 ) * on Tuesday March 29, 2005 @10:22AM (#12075603) Homepage Journal
    Seeing how lawsuit-friendly the US society is, why haven't more people sued these companies which "lose" private data?

    If you just slip and fall on the grounds of a business, you can expect to make a couple 100 Gs for "mental suffering". Why not do the same here? People should get together and file class-action lawsuits left-and-right. Then watch the companies scramble to protect the data.

    Don't get me wrong: I am dead against frivolous lawsuits. But the language of financial pain is the only language these businesses understand. "Morality" is a word that is not there in their lexicon.

  • Poor devils. (Score:4, Funny)

    by bobbuck ( 675253 ) on Tuesday March 29, 2005 @10:24AM (#12075619)
    Wow. These poor guys will be branded as Berkeley alumni for life.

  • It's nice to see that Ian Goldberg is back to its old self.

  • Torrent? (Score:3, Funny)

    by Cyn ( 50070 ) <cyn.cyn@org> on Tuesday March 29, 2005 @10:39AM (#12075724) Homepage
    I can't seem to find it yet, anyone have it?
  • I took my GRE Saturday and Berkley was one of the schools I checked off to receive my scores... Ahwell, the thief will be long gone before my info gets there... ;)

  • Whoever lost the laptop should be liable (Score:3, Insightful)

    by blueZ3 ( 744446 ) on Tuesday March 29, 2005 @11:09AM (#12075940) Homepage
    This kind of thing just ticks me off no end. Some Berkeley bureaucrat leaves a laptop in their car, which will no doubt result in 1000s of stolen identities, lives ruined, tens-of-thousands of wasted hours? and they?re likely not even going to get a slap on the wrist. Personally, I?d make any individual who is responsible for this kind of thing financially liable for damages. I?d also try them for criminal negligence and possibly for aiding and abetting fraud. Then I?d let each person who has their identity stolen take one swing at them with an aluminum baseball bat. Currently, there?s just no accountability for this type of thing.
  • This would be the *third* time that a University has 'lost' my personal information as an applicant, either for undergraduate or graduate applications, during the last 4 years.

    Perhaps future applications should seriously consider refusing to provide a SSN until they make it though the admissions process.

    I'm still waiting on real data privacy laws too, even if they are California only.
  • So what is the answer? Consider the following:

    -An application requires that the user be able to process personal data about clients.
    -The Social Security Number and other "sensitive" data is required by US government.
    -The application must work across a wide geographical area. The application is on PCs that although locked up in buildings, could be stolen.
    -Regardless of connectivity the data application must perform all functions, access all historical records of the client. So it must have some sort of loca
  • There's an epidemic of identity theft across the country. Many thousands of American lives are being ruined overnight by theft and fraud. International crime syndicates, including the huge Russian and American mafias, are directly involved. Where's the FBI? Busy working on the Patriot Act to protect us from "terrorists". Thanks, Ashcroft, and, er, uh, who's that guy who replaced you this year?

  • Happened at my University too. (Score:3, Informative)

    by Maul ( 83993 ) on Tuesday March 29, 2005 @12:33PM (#12076796) Journal
    Last summer, I received a letter from the University I attended. They said that a computer system containing records for just about all current and former students had been compromised, and that it was possible our personal information (including SSN, etc.) had been stolen.

    This is obviously not a unique situation.

Slashdot Top Deals

I tell them to turn to the study of mathematics, for it is only there that they might escape the lusts of the flesh. -- Thomas Mann, "The Magic Mountain"

Close