Berkeley Grads' Identity Data Stolen

yali writes "Did you get a graduate degree from Berkeley? Or maybe you just applied but didn't go there? If so, your identity may have been stolen. A laptop was stolen containing names, social security numbers, birthdates, and addresses of grad students, alumni, and applicants. University police suspect that the thief just wanted the laptop, but the irony of California's mandatory notification law is that the thief may now know they have something even more valuable. Berkeley has set up a website with information on the breach."

Re:Why do they need the SSNs?

[G-funk]

Because your SSN (like our TFN, or Tax File Number) is your nation ID number. Wether you like it or not, wether it's legal or not, it's still a fact. You guys have it worse than us, we seem to have the TFN for all "official" docs like government, financial institutions etc, and we have our license no for everything else, such as video cards etc. But we're still in databases all over the world, easily indexed by a small number of different "unique enough" keys.

The real problem: unchangeable passwords

[pocari]

The real problem is that banks, credit bureaus, and schools are allowed to continue to pretend that knowing someone's SSN and birthdate is proof of anything.

It seems like this could be solved with a public database of SSNs and birthdays. Once you list yourself, you can tell credit bureaus and banks that this information has been widely published, and therefore anybody who acts like it's a secret is negligent. Civil disobedience for the information age.

I am too chicken to go first, though.

Biometrics

[failure-man]

With all this personal data getting stolen (and the tinfoil crowd will hate this) the only way to avoid a complete infoclypse may be to actually appear somewhere in person and have your identity biometrically certified when you apply for credit.

These leaks aren't gonna go away, so we'd better start finding ways to make them irrelevant. Sure, it'd be inconvenient and raise privacy concerns, but I'd rather have my prints on file than have my bank accounts cleaned out and credit ruined with little, if any recourse, solely due to someone else's blunder.

Great

[baadger]

[/blockquote][I]...but the irony of California's mandatory notification law is that the thief may now know they have something even more valuable[/I][/blockquote] And in another twist of fate the theif is a hardcore slashdotter.

Re:Why do they need the SSNs?

[anon*127.0.0.1]

But SSN's don't make very good personal ID #'s. They're not unique forever, because the government recycles them after a few years. I'm assuming the Berkeley has a fair number of foreign students, they probably have to generate some sort of artificial ID number for them... why can't they just generate an artificial ID number for all their students?

To answer my own question... they could, and quite easily. The difficulty lies in transitioning all your data systems from one ID number to the other.

Can you say "Irony"

[tomhudson]

SISS, UC Berkeley - Social Security, Driver's Licenses, and California ID Cards [berkeley.edu]

Social Security Number Safety

Although a SSN is only meant to be used for tax and government purposes, it is often used by financial institutions, businesses, and others as a unique identification number. Because the SSN is a unique ID, it is often the target of "identity theft". Therefore you should be very careful about where and to whom you give your SSN.

• Never carry your Social Security card or number with you. Keep it at home in a secure place.
• Only give your SSN to someone who has a specific and legitimate need for it.
• Be very careful with any forms, applications or other materials that may have your SSN on it.
• Never give your SSN to someone who phones you. You should initiate the call or meet in person.
• Never reply to email or web sites that request an SSN.

Gee, too bad they don't follow their own advice to "be careful". Guess they haven't quite gotten the hang of that "intarweb thingee" yet.

Why does the notifcation have to be public?

[vrimj]

Unless they have no idea what specific data was involved why not just send these people a letter?

As I read the law personal notifcation is not only allowed it is prefered. The complants about "now the theves know they have something valuable" seems like it is more a result of the choice to hold a press conferance and save the cost of a lot of stamps.

Re:The real problem: unchangeable passwords

[anthony_dipierro]

The real problem is that banks, credit bureaus, and schools are allowed to continue to pretend that knowing someone's SSN and birthdate is proof of anything.

Schools maybe, but what bank or credit bureau does such a thing?

It seems like this could be solved with a public database of SSNs and birthdays. Once you list yourself, you can tell credit bureaus and banks that this information has been widely published, and therefore anybody who acts like it's a secret is negligent.

I am too chicken to go first, though.

The problem is, you'd probably be negligent for listing yourself in such a database.

If you really want to make harder to get a loan, just call up the three credit bureaus and tell them that your identity was stolen. They'll put a note on your credit report and you basically won't be able to do anything by phone any more.

I fail to see how this is a good thing, though.

At Least It's Not Arrogance

[mirio]

Well, during my undergrad years at an unnamed university...oh what the hell...The University of West Georgia [westga.edu], I worked in the ITS department on campus which was responsible for all the applications in our internal system called Banner (a big freaking waste of money for an Oracle Forms application..but that's another discussion for another day).

Anyway, my role was to prepare reports for various people around campus. For example, if a student organization required a given GPA for membership, their faculty advisor could request a report of all students meeting the criteria.

The thing that most amazed me when I started working there was the complete lack of respect for people's social security numbers and birthdays. Any professor on campus could get pretty much any information he or she wanted.

Even more brazen than this activity was the infrastructure on campus. Every user ran their applications over a telnet session. Yes....telnet. I demonstrated to my boss how easy it was to run a packet sniffer and catch social security numbers as they went across the wire..but all my concerns fell on deaf ears. I also showed them how SSH could be used as a direct replacement for telnet but again...no one seemed care.

I then wrote a letter to the editor of the University's only newspaper describing the lack of respect for peoples' personal information, but the letter was never published. When I e-mailed the student editor and asked why my letter wasn't published, she said she was asked by the administration not to run it.

I graduated in 99 so I'm not sure if any changes have been made. I would love to know.

Too much

[QuietLagoon]

Why was that amount of personal data allowed to be on a laptop in the first place?

Re:The real problem: unchangeable passwords

[pocari]

As an individual act, it is foolish. Which is why I am chicken. You cannot boycott the bus system by yourself and expect change. But if enough people did it, businesses would be forced to figure out something else. You can't put a note on everybody's credit report and expect the system to run smoothly.

Re:Why does the notifcation have to be public?

[WebHostingGuy]

I think it really doesn'y matter. As soon as someone gets the notification someone will tell the press. Also, by releasing it out you control the story and timing. There is no way a story about a large university losing this data would stay out of the media.

Re:At Least It's Not Arrogance

[emotionus]

I'm a undergrad student now. Currently not declared.

Anyways, who should I go talk to? I also know a CS gradstudent here.

I could give my liberal hippy friends soemthing to protest about on campus.

idiots

[Mr. Underbridge]

I am not sure Windows has anything to do with it as any OS supports crypto, the question is why did an application designed to hold social security numbers on a insecure PC not encrypt the data store?

Something tells me the whole thing was on Excel.

There is absolutely no reason to have anything like this on a laptop. If there is some reason one would need the information from a laptop, you can access it from a server using a client that won't make a local copy. Ridiculous.

Re:The real problem: unchangeable passwords

[matth]

I have been "bucking" the system for years... the only people who have my SSN are my bank, my employer, the IRS, and my college (due to some horrible mixup that occurred when my parents gave them my number back in my youth.. however I got the school to generate a number for general use.. but they refused to remove my SS from the database)..

But.... I've happily gone around not giving out my SSN.... Given Blood, etc, etc... just say "sorry, I don't have one".

Re:The real problem: unchangeable passwords

[Anonymous Coward]

Never bothered to post before, sorry for the AC.

Have a system where US citizens (Gotta HAVE a SSN) fill out a bunch of such data, and then it's hidden.

Gone, invisible. Noone else can see it.

Untill, lets say, a million people sign up.

See? Noone has to be the chicken.

And you better encrypt that system ;-)

California Universities

[That's Unpossible!]

Is it just me, or is this like the third story of personal information being stolen from California universities recently? WTF is going on over there?

As an aside, my girlfriend lives in California, and someone opened a credit card in her name soon after she had sent in applications to several California universities applying for grad school.

Re:At Least It's Not Arrogance

[Skater]

When I was a teaching assistant at the University of Georgia, we were given the SS# of every student in our class. I never once used them, and I would've strongly preferred not to have them at all. Also, we were never given anything saying, "Hey, this information is confidential and should be treated with care." (I know that's obvious to you and I, but it's not obvious to everyone.)

The only reason I could see for us having SS# was that without them we were relying on names to be unique within a given class of 30 people - a problem I didn't run into in 2 years of being a TA. But a simple unique student ID would serve that purpose as well - and the last few digits of that could be read aloud without any risk to distinguish the two students on the first day of class.

For basic stats classes (STAT 200, later 2000), we also had them fill out their SS#s on the scantron forms.

Colleges by and large don't respect privacy

[brontus3927]

When I was in college, to enter the dorms and other "sensitive" areas, you had to swipe your school ID. To purchase food on your meal plan, you had to swipe your ID. You could put money into a debit account to buy things on campus and select off campus stores (like the local gas station), and swipe your ID to use it. The ID sent unencrypted the student's SSN. Anyone with a POS card reader and access to a student ID could retrieve the SSN, and legal name (printed on the front of the ID).

If you lost your ID, it was a simple matter to go down to Student Accounts and get a new one for $10. But since the SSN is used as an ID, the old ID card couldn't be deactivated and the missing one could be used by whoever found it.

Thankfully, last year they switched from using SSN to a 12 digit ID number generated by the college. However, "lost" cards are still usable

Re: Not all school are alike

[Anonymous Coward]

Some schools are beginning to move away from SSN in the wake of identity theft. I work for Kansas State University and we have been working on this for a couple years. And while it might sound simple on the surface, there are a lot of software systems and departments involved.

Everyone now must use there eID to access email, the central unix servers, use K-State Online, and a host of other services.

The general idea is that a person is assigned an eID and a dirkey. The eID may change in the future, but a single person is guaranteed to have only one dirkey over their lifetime. The dirkey is a CHAR(12) primary key in Oracle.

Lawsuits?

[Quixote]

Seeing how lawsuit-friendly the US society is, why haven't more people sued these companies which "lose" private data?

If you just slip and fall on the grounds of a business, you can expect to make a couple 100 Gs for "mental suffering". Why not do the same here? People should get together and file class-action lawsuits left-and-right. Then watch the companies scramble to protect the data.

Don't get me wrong: I am dead against frivolous lawsuits. But the language of financial pain is the only language these businesses understand. "Morality" is a word that is not there in their lexicon.

Re:Why do they need the SSNs?

[enbody]

Ask the university department responsible for fund raising. They will tell you that the easiest way to track alumni in the USA is with SSN. If you have someone's SSN, it is easy to find their up-to-date address -- critical for fund raising. There are businesses which will provide you with up-to-date addresses, if you give them SSNs. My university does not collect all student SSN so it is severly handicapped in fund raising.

Re:Why does the notifcation have to be public?

[Life2Short]

Send a letter where? I was at Berkeley '94-95. Since then I've lived in London, Western MN, San Francisco, and NC. Since the data includes people who got degrees in the '70s, they might not be too easy to track down.

You also have the people factor

[Anonymous Coward]

A few years ago, I received a letter by mistake from the Harvard Alumnus Association. It was addressed to someone completely different. Nonetheless, I opened it, filled it out, and wrote a polite letter back to Harvard that they had spelled my name wrong, and needed to update my contact information. My request was all the more credible because I included the original letterhead they sent me, and the intended recipient had the same last name as me. Without double checking against the registrar's records, they complied with my request.

I soon began to receive more mail from them, including invitations to reunions, which I accepted. It was awkward at first, but as I researched other Alumni's lives, it became easier to pass myself off as an Alumnus myself: "Hey Thom Davis! Do you remember the time when you accidently got your foot caught in the broken-open drainage ditch? Oh, that was a hoot! And I'll never forget the look on your face! Har har!" Soon, with subtle suggestion, most Alumni even began to "remember" me and several of my antics. Amongst these Alumni was someone who had strong connections to the original Administration... I thought my charade was up - but much to my surprise, when he didn't find my name in the original records, he offered to help me "correct" them! "After all," he said, "Everyone here remembers you; the administration is at fault. What was your degree again?"

Okay, it wasn't quite as simple as that, but in the end, I got my Harvard degree without ever attending. I nudged someone else off the list and took his place. I stole someone's identity and made it my own. In short, identity theft is also an administration issue.



Malus Dei

SSNs - problems, reasons

[spagetti_code]

This guy is right "like it or not"

I am not from the US, but I was sent there for a few months to work. My wife came too for the holiday.

Some random notes about life without an SSN...

• I decided to open a US bank account. Got a check book ok. Got a debit card. Then the fun starts - the bank calls back after two weeks to cancel the debit card. No SSN. The checks are 'starters' even though they start at 1000 (to fool those pesky shop clerks on the look out for checks that start at 1). Everyone refuses to honour them. So banking was a bust.
• Couldn't use checks at walmart - no SSN.
• Couldn't use VISA at Best Buy because it wasn't a US based VISA, and (you guessed it) no SSN. I did point out that I have used that VISA all over the world, except this very store. Strangely, I have purchased from there many times since so perhaps I just hit a loser that day.
• A bank clerk called my passport a forgery when I tried to withdraw my money (since I couldn't use checks or cards) because it had a date "15/3/1967" - to quote ("there's no 15th month").

I eventually found a website [cpsr.net] that provides fake SSNs you can use with minimal chance of dups. Suddenly everything went smoothly at the supermarket :-).

The reason I think that SSNs are dangerous is that because it is a simple ID, America has become tied to it in a dangerous way. Its become a widely respected and accepted ID. But there is no security associated with it. SSNs leak easily but encapsulate too much power - your SSN gives me trivial access to stuff thats yours.

Picture ID cards, money, drivers licences carry numerous security precautions - holograms, encoded data, special paper, the physical look of them. They are harder to duplicate (although it still does happen).

What is missing is that the SSN should be a first step to identification - perhaps as a replacement for your name + birthdate (yeah, I know.... "I am not a number"). Then follow it up with other identifiers - license, other data only you would know.

And people who dont need it *specifically* should not be permitted to force it from you. Sure, you can take your business elsewhere, but usually its a pain, and sometimes you just can't.Personally I think it should be restricted to government departments only.