Berkeley Grads' Identity Data Stolen

yali writes "Did you get a graduate degree from Berkeley? Or maybe you just applied but didn't go there? If so, your identity may have been stolen. A laptop was stolen containing names, social security numbers, birthdates, and addresses of grad students, alumni, and applicants. University police suspect that the thief just wanted the laptop, but the irony of California's mandatory notification law is that the thief may now know they have something even more valuable. Berkeley has set up a website with information on the breach."

Secret

[BWJones]

Personal data need to be treated as government certification of Secret documents, or at least give it Collateral classification level treatment. When personal data is checked out and allowed to be placed on laptops or other portable devices for removal from the central location where the data is stored, personal responsibility needs to be ensured and access should be confirmed by 1) need to know basis and 2) those who are trained to undergo training with confidential data.

Granted, this will not prevent all leaks as even the State Department [computerworld.com], CIA and FBI [crimelynx.com] have had problems with missing laptops, but they are getting better about data confidentiality and security through training and implementation of protocols designed to limit leaks and unauthorized access.

Los Alamos

[goombah99]

The problem is not just education. One has to create situations that engender proper handling of data. For example, if confidential data is only permitted on removable media and that media has to be a vault every night, signed in and signed out then its you have a situation where the person using the data and all of his or her collegues can tell by inspection if the person is not fulfilling their obligations. If its up to the person to always rememeber then eventually conveinence will override caution.

Los alamos national lab, contrary to the implied conclusions of all its bad press and false accusations, has in fact shown that the removable disk method is an excellent means of both tracking secret data and minimizing copies of it.

And even better approach is to make it even easier for people to maintain their data in secure forms without inhibiting their use of it. A good example of this is the macintosh laptop. Every macintosh laptop can transparently AES128 encrypt the users home directory and decrypt it upon log in. Of course you can set that up on a linux or Windows machine, but that's not the point. The point is it's already there on every mac ready to go by chekcing a box. It's not something that one has to spec. If you have to trasnfer the data to another machine you dont have to worry about setting this up. Co-workers know your machine has it. It departments can even enforce its use without penalizing the user. Ubiquity and ease of use is the key to getting encryption part of peoples work habits.

I work in aplace where wireless internet connections are not allowed in the building. Yet when I go on travel I use it. Like everyone else I have to remember to turn off the wireless in the laptop before jacking into the building ethernet. So do you think people remember to do that. Well a lot of the time yes but many times no. but with a mac laptop its trivial to configure it so the wireless and ethernet adapters cant be on at the same time. it's impossible to forget. By the way my company spends money to pay people to walk the halls with wireless sniffers and has to discipline workers that forget. All of that is lost productivity as well as the security exposure.

So in conclusion, any company that is concerned about data security that does not use macintoshes is wasting its money. Sure you can make a windows system secure but its the little daily things that keep it secure.

Clarification of classification

[sczimme]

Personal data need to be treated as government certification of Secret documents

First, I think you mean classification, not certification.

Second, there is a reason and a definition behind each classification. For example, the definition of SECRET according to the Defense Security Service (available here [dss.mil] (scroll down)) is as follows:

SECRET. The designation that shall be applied only to information or material the unauthorized disclosure of which reasonably could be expected to cause serious dam

Re:Secret

[hackstraw]

Personal data need to be treated as government certification of Secret documents, or at least give it Collateral classification level treatment. When personal data is checked out and allowed to be placed on laptops or other portable devices for removal from the central location where the data is stored, personal responsibility needs to be ensured and access should be confirmed by 1) need to know basis and 2) those who are trained to undergo training with confidential data.

That sounds fine and good, and wh

Re:Secret

[stinerman]

You raise good points, but what must happen is that people need to be more careful with their personal information. Most people gladly give away their phone number to Radio Shack, Best Buy, etc. at the drop of a hat. I'll bet you ~50% of people would give their SSN to any brick and mortar retailer (but not those hackers on the internets) if asked to do so. Most of them don't know that they can refuse to give out any of their personal information (of course, the cost may be not being able to do business with that store), but probably would so they wouldn't be put-out by having to go to another store.

Convenience trumps all with security being a close second and privacy a distant third.

Re:Secret

[cpeikert]

Personal data need to be treated as government certification of Secret documents, or at least give it Collateral classification level treatment.

You're kidding, right? Then practically every employee in the student services and financial aid offices would need a US Government security clearance, and none of the computers there could be connected to the internet.

Why do they need the SSNs?

[lecithin]

This is a pet peeve and it is just getting worse.

Why does a school need our SSNs? Why does anybody outside the government?

Here in Minnesota, I need to provide my SSN now just for fishing and hunting licenses. WTF?

Re:Why do they need the SSNs?

[DarkTempes]

they use it as a personal identification number (which it isn't supposed to be used as but since everyone has a unique one it makes it easy for them to do it).

they don't NEED to but they CAN and so they do.

Re:Why do they need the SSNs?

[anon*127.0.0.1]

But SSN's don't make very good personal ID #'s. They're not unique forever, because the government recycles them after a few years. I'm assuming the Berkeley has a fair number of foreign students, they probably have to generate some sort of artificial ID number for them... why can't they just generate an artificial ID number for all their students?

To answer my own question... they could, and quite easily. The difficulty lies in transitioning all your data systems from one ID number to the other.

Re:Why do they need the SSNs?

[anthony_dipierro]

They're not unique forever, because the government recycles them after a few years.

Insightful? This is patently false. There are some instances of multiple people having the same SSN, but these were accidental, and not intentional, and the government will issue a new SSN for people who are in this situation.

why can't they just generate an artificial ID number for all their students?

Read my reply to the parent. The school definitely needs your SSN. It probably shouldn't be used as a primary key, s

Re:Why do they need the SSNs?

[antifoidulus]

AFAIK, foriegn students do receive SSN #s, but an SSN # doesn't entitle you to social security benefits. Everyone who is not on a short term visa is required to get one. I hosted a student intern from Argentina here at my school and had to help her get all this stuff.

Re:Why do they need the SSNs?

[forand]

Berkeley does NOT use your SSN for your student number. It does, however need your SSN to provide you with federal financial aid and work. Since virtually EVERY grad student falls into one of these catagories they need the SSN.

Re:Why do they need the SSNs?

[defy god]

http://www.ssa.gov/history/hfaq.html

Q20: Are Social Security numbers reused after a person dies?

A: No. We do not reassign a Social Security number (SSN) after the number holder's death. Even though we have issued over 415 million SSNs so far, and we assign about 5 and one-half million new numbers a year, the current numbering system will provide us with enough new numbers for several generations into the future with no changes in the numbering system.

Re:Why do they need the SSNs?

[AmigaAvenger]

the government does NOT recycle them! There are only around a billion possible #'s though, so at some point they will have to be recycled. (SSN's are assigned randomly or sequentially, some of the digits mean something.) How SSN's work [howstuffworks.com]

Re:Why do they need the SSNs?

[G-funk]

Because your SSN (like our TFN, or Tax File Number) is your nation ID number. Wether you like it or not, wether it's legal or not, it's still a fact. You guys have it worse than us, we seem to have the TFN for all "official" docs like government, financial institutions etc, and we have our license no for everything else, such as video cards etc. But we're still in databases all over the world, easily indexed by a small number of different "unique enough" keys.

Re:Why do they need the SSNs?

[ikkonoishi]

#12074974, I am shocked by your assertation that my actions are being tracked by an ID number of some kind. All places should put the effort to protect our identities that Slashdot does.

Sincerly
#12072440

Re:Why do they need the SSNs?

[mikael]

Oddly enough, for certain college courses, students no longer put down their name, but just use their matriculation number.

And for various research journals, you will never know the name of the persons reviewing your paper, but only an identifier such as "IXL04356". But as you are now able to reply to the reviewers comments, the log of the discussion will appear to be something out of an Asimov short story.

Re:Why do they need the SSNs?

[Jerf]

I am not a number, I am a free man !

Sincerely, #171not-6not-6.

Re:Why do they need the SSNs?

[mzwaterski]

If by video card you mean a card for renting movies and by "you guys" you mean US citizens, then I would say that we our pretty similar to you. Video stores generally take a driver's license number or credit card to keep on file, they don't require a social security number and I don't believe I've even been asked to provide one optionally.

Generally, social security numbers are used for things relating to schools, banking/investing/fincial activities, and government documents like tax returns.

Re:Why do they need the SSNs?

[G-funk]

Ah I see... Due to the level of whinging that goes on around here, I figured in the US you needed your SSN to do anything more complicated than buying a litre (quart?/pint?) of milk :)

SSNs - problems, reasons

[spagetti_code]

This guy is right "like it or not"

I am not from the US, but I was sent there for a few months to work. My wife came too for the holiday.

Some random notes about life without an SSN...

• I decided to open a US bank account. Got a check book ok. Got a debit card. Then the fun starts - the bank calls back after two weeks to cancel the debit card. No SSN. The checks are 'starters' even though they start at 1000 (to fool those pesky shop clerks on the look out for checks that start at 1). Everyone refuses to h

Re:Why do they need the SSNs?

[matth]

I bet you don't NEED to.. just tell them you don't have one... they can't make you give them something you don't have... that's what I do.. I've never had a problem.

Re:Why do they need the SSNs?

[pixelpusher220]

agreed, one of my college roomates didn't have a SSN. Her dad paid the 20K tuition in friggin cash every year ;-) Even to the point of mailing her cash wrapped in tinfoil!

His 'profession' was 'auto parts reseller' - he drove around to mechanics selling them 'discount' parts. Um yeah right ;-)

Dunno what he was hiding, but it wasn't pretty I'm sure!

Re:Why do they need the SSNs?

[russler]

Think of how many institutions we deal with require our SSN. With Social Security supposedly going defunct in 2041 (from the headlines) do you suppose all of these organizations are going to be so forward thinking as to choose a new "key" for each of us by then? How much is it going to suck for kids in the future to be issued a Social Security Number when it's used for pretty much everything under the sun EXCEPT for obtaining Social Security benefits.

Re:Why do they need the SSNs?

[matth]

Exactly why my kids will not be getting SSNs!

get them SSN's

[Anonymous Coward]

They will need one eventually.

Without an SSN you can't get financial aid. I was born on a commune near the Canadian border and didn't have either a birth certificate or SSN for many, many years.

Eventually I got the opportunity to go to Moscow. It took me almost 2 years to get a passport. Needless to say I missed the trip.

I then applied to college and got accepted. Since we are dirt poor I applied for financial aid. They promptly said, sorry you are not enlisted with the selective service. I said no shit.

Re:Why do they need the SSNs?

[endoboy]

ahh.. you must be comfortably wealthy-- or, more likely, childless and blowing smoke.

SSN's are required to get the tax deduction for your children

Re:Why do they need the SSNs?

[flyingsquid]

Why does a school need our SSNs? Why does anybody outside the government? Here in Minnesota, I need to provide my SSN now just for fishing and hunting licenses. WTF?

Next time you apply for a license, just tell them you are John Kruptowski, 537 Cherrywood Circle, Minneapolis, Minnesota, 575-63-6216, currently applying to UC Berkeley's astrophysics program.

If you don't like that name, I got a zillion more.

Re:Why do they need the SSNs?

[anthony_dipierro]

Why does a school need our SSNs?

They definitely need it so they can file a 1098-T at the end of the year. They probably also need it so they can do a credit check on you, both to determine if they're going to admit you, as well as to determine whether or not you qualify for whatever tuition plans they offer (unless you're prepaying in cash, the school is giving you a loan). If you're a transfer student, they need it so they can verify your transcript, this could perhaps be done in another way, using yo

Re:Why do they need the SSNs?

[fuzzybunny]

OK, agreed, tax & SS-related forms are legitimate.

Now: what abou the whole "credit check" thing? Let's ask a more fundamental question--why is the SSN required for this sort of thing at all? Or for transcript verification?

Simple answer: It's a unique identifier, you said it. Funny thing that, doesn't the Social Security Act specify that the SSN is not meant to be used as identification except for Social Security purposes?

You hit the nail on the head with the word "easy". It's easy. "Easy" is n

Some Are Switching

[LighthouseJ]

My school has switched from using Social Security Numbers to our unique numbering system. I can use this number in everywhere where I used to use my SSN when logging into secure sites, signing up for university classes, etc... Even my state of Virginia changed over from SSN's on the license to "Customer Numbers" which mean nothing to anyone who doesn't need to know my ID.

Re:Why do they need the SSNs?

[shoppa]

Why does a school need our SSNs?

Many grad students are employed by the school. This is something they'd collect not on application but on the student showing up to work.

For undergrad financial aid, there's the requirement that male students be checked to be sure they're registered with Selective Service. Some schools use this as an excuse to collect SSN, but I think it's a lame excuse because when I registered at least (many years ago you can tell!) I didn't even have a SSN.

Re:Why do they need the SSNs?

[enbody]

Ask the university department responsible for fund raising. They will tell you that the easiest way to track alumni in the USA is with SSN. If you have someone's SSN, it is easy to find their up-to-date address -- critical for fund raising. There are businesses which will provide you with up-to-date addresses, if you give them SSNs. My university does not collect all student SSN so it is severly handicapped in fund raising.

Re:Why do they need the SSNs?

[vettemph]

Score:+5 Funny?
More like
Score:+5 Scary!

No!

[TheSpeedoBeast]

Oh, HELL no, I just applied there!

Re:No!

[tomhudson]

That's okay. Don't worry. I can now sell you a genuine degree. Wink wink, nudge nudge.

The price is cheap and lets you get into the job market that much quicker: $5,000.00 in Doritos and Mountain Dew [tt]

Mind you, it's ALWAYS been possible to game the system to get universities to issue degrees. Records are lost, etc. It used to be that you had to go in with fake paperwork a couple of decades later, be really insistent, and walk out with your sheepskin. Nowadays, it's SO much more convenient, thanks to the

It's easy to encrypt in Windows

[caluml]

Windows, love it or hate it, makes it very easy to secure your data on a laptop. Just right click, and buried somewhere in there (Advanced options or something) tick the Encrypted option.
Better still, just create a directory (C:\Encrypted), and encrypt the folder, and all subdirectories.
Of course, there are issues with losing the encryption key, but as it's a laptop, and probably only has the one harddrive, I would expect the person to be keeping a backup somewhere else.

Re:It's easy to encrypt in Windows

[Zemplar]

"Windows, love it or hate it, makes it very easy to secure your data on a laptop. Just right click, and buried somewhere in there (Advanced options or something) tick the Encrypted option."

I'd bet your paycheck that the password to login is on a post-it stuck to the laptop's keyboard!

"Of course, there are issues with losing the encryption key, but as it's a laptop, and probably only has the one harddrive, I would expect the person to be keeping a backup somewhere else."

HAHAHAHAA! A Windows user? I

Re:It's easy to encrypt in Windows

[tmasky]

With Win2k, maybe XP too, you need to download a special pack to get the 3des cipher if your copy is from outside the US. IIRC, this isn't even the default cipher. Plain DES is! (which is very insecure ;))

Screw encrypting stuff with 3des =/ Laptop power is precious enough as it is.

Re:It's easy to encrypt in Windows

[caluml]

I assume that the person that stole the laptop wasn't targetting it - they just had a quick browse (maybe it auto-logged in a la XP), and went "Wahey, a nice spreadsheet full of gumpf - maybe I can sell this." I'm sure single DES would have stopped them.

Re:It's easy to encrypt in Windows

[canuck57]

Windows, love it or hate it, makes it very easy to secure your data on a laptop

I am not sure Windows has anything to do with it as any OS supports crypto, the question is why did an application designed to hold social security numbers on a insecure PC not encrypt the data store?

Users will not do anything they do not have to. An encrypting/decrypting files leave copies of data un-encrypted on the disk. So blaming the user is not it either.

I would blame whomever aquired and authorized the use of the

idiots

[Mr. Underbridge]

I am not sure Windows has anything to do with it as any OS supports crypto, the question is why did an application designed to hold social security numbers on a insecure PC not encrypt the data store?

Something tells me the whole thing was on Excel.

There is absolutely no reason to have anything like this on a laptop. If there is some reason one would need the information from a laptop, you can access it from a server using a client that won't make a local copy. Ridiculous.

Re:It's easy to encrypt in Windows

[Wingsy]

Just as easy if not easier in OSX. Created an encrypted disk image (AES 128 bit) where the files are to be kept and do not put the pw in the Keychain. I'd trust encryption on a Mac a zillion times more than on Windows.

Re:It's easy to encrypt in Windows

[jocknerd]

Or you could just encrypt your entire home directory with File Vault. I'm doing this in Panther on my iBook with no problems. Of course, you can still make an image thats encrypted with AES128 inside of your home directory thats been encrypted.

Re:It's easy to encrypt in Windows

[Pingsmoth]

Macs used to have that feature in OS9 and possibly OS8, but it's gone in OSX. Weird. You could ctrl-click on any document and get an option to encrypt it.

Wow...

[InterruptDescriptorT]

Talk about your OpenBSD (Berkeley Social Data)...

Privacy

[Tom]

Let's hope the sheer amount of identify theft problems will spearhead a push for more privacy protection.
I don't just mean everyone gathering less personal information, I also mean making sure that what they do gather is adequately protected. You have a resonsibility to your clients, customers, whatever.

Re:Privacy

[tuxette]

You may want to use the EU Personal Data Directive (95/46/EC) [cdt.org] as a starting point. But even the Directive has its weaknesses...

Re:Privacy

[Tom]

The problem here being that

a) the US (where most of these problems happen) is not a member of the EU
b) the US has put immense pressure and bought/bribed some politicians in the EU to bypass the EU directive, even where it would apply to US businesses (i.e. transfer of data from EU to the US).
I say bribed because the affair (about a year ago) was quite similar to what's happening with the software patents right now - only insanity or bribery can explain the behaviour of some key persons.
If I recall correctl

Wrong Wrong Wrong!

[Penguinoflight]

The problem isn't securing the information better, the problem is the information is your enemy. Security is an oxymoron in this case, no matter how well you lock down the systems there's nothing keeping someone inside from stealing information.

It's like everyone has their own poison being stored by someone else. The problem isn't who's storing your identity, the problem is your identity is a vulnerability!

Until a non-vulnerable identity is made, organizations should respect people's privacy even if it

Retinal scans

[happyemoticon]

I will personally champion the cause of retinal scans as the only valid form of identification, as shown in the book/film, Minority Report. Sure, that will mean having a national database of retina biometrics, but this will be impossible to fake as long as the scanners are powered by a serious, closed-source platform like Longhorn, and equipped with bombs so that the Orrin Hatch can blow up offending units.

In other news, as of 8:00 am this morning, I have filed my application with Berkeley's optomology pro

The real problem: unchangeable passwords

[pocari]

The real problem is that banks, credit bureaus, and schools are allowed to continue to pretend that knowing someone's SSN and birthdate is proof of anything.

It seems like this could be solved with a public database of SSNs and birthdays. Once you list yourself, you can tell credit bureaus and banks that this information has been widely published, and therefore anybody who acts like it's a secret is negligent. Civil disobedience for the information age.

I am too chicken to go first, though.

Re:The real problem: unchangeable passwords

[anthony_dipierro]

The real problem is that banks, credit bureaus, and schools are allowed to continue to pretend that knowing someone's SSN and birthdate is proof of anything.

Schools maybe, but what bank or credit bureau does such a thing?

It seems like this could be solved with a public database of SSNs and birthdays. Once you list yourself, you can tell credit bureaus and banks that this information has been widely published, and therefore anybody who acts like it's a secret is negligent.

I am too chicken to go first

Re:The real problem: unchangeable passwords

[pocari]

As an individual act, it is foolish. Which is why I am chicken. You cannot boycott the bus system by yourself and expect change. But if enough people did it, businesses would be forced to figure out something else. You can't put a note on everybody's credit report and expect the system to run smoothly.

Re:The real problem: unchangeable passwords

[matth]

I have been "bucking" the system for years... the only people who have my SSN are my bank, my employer, the IRS, and my college (due to some horrible mixup that occurred when my parents gave them my number back in my youth.. however I got the school to generate a number for general use.. but they refused to remove my SS from the database)..

But.... I've happily gone around not giving out my SSN.... Given Blood, etc, etc... just say "sorry, I don't have one".

Re:The real problem: unchangeable passwords

[anthony_dipierro]

But you're assuming it's a bad thing in the first place. If someone wants to give someone a loan without first checking that they actually are who they say they are, why should I care just because they say they're me? Sure, up to a year later I'll notice a false statement on my credit report, and I'll have to make a phone call or 2 to get it removed, but ultimately the person who really gets screwed over is the person who made the loan in the first place.

There's enough disincentive against banks in just

Re:The real problem: unchangeable passwords

[anthony_dipierro]

"A phone call or two" are not how most of the stories of abused credit ratings read.

Because "a phone call or two" doesn't make for a very good story.

Seems to me more like a multi-year process of making calls and writing letters, and dealing with sleezy collection agencies.

If you catch it soon enough it's not going to get to that. I strongly recommend that everyone check their credit once a year. Under a new federal law you can do this for free in every state, it used to be state law in only some s

Re:The real problem: unchangeable passwords

[ArmchairGenius]

I agree. Although I think the real problem here is the idiot policy or person that allowed a large amount sensative data like this to be stored on a laptop

That is just begging for a class action lawsuit.

Biometrics

[failure-man]

With all this personal data getting stolen (and the tinfoil crowd will hate this) the only way to avoid a complete infoclypse may be to actually appear somewhere in person and have your identity biometrically certified when you apply for credit.

These leaks aren't gonna go away, so we'd better start finding ways to make them irrelevant. Sure, it'd be inconvenient and raise privacy concerns, but I'd rather have my prints on file than have my bank accounts cleaned out and credit ruined with little, if any recourse, solely due to someone else's blunder.

Re:Biometrics

[tuxette]

Riiiiiiiiiiight. Until someone decides, just for a cheap thrill, to mess around with the databases matching people to their biometric data. (Among the many things that can easily happen to fuck everything up.) Then the fun really begins!

Re:Biometrics

[Sierpinski]

I have to agree. Instead of trying to protect information like our SSNs (which will never happen) we should instead make it more difficult to apply for these credit/life ruining things, like credit cards, loans, whatever. I have a little trashcan on the inside of my front door that all of the credit card applications, mortgage applications, and anything else that is more than a 'To the Resident At...' letter. Those get shredded, then incinerated.

How honest do you think all of the waiters/waitresses are in

Great

[baadger]

[/blockquote][I]...but the irony of California's mandatory notification law is that the thief may now know they have something even more valuable[/I][/blockquote] And in another twist of fate the theif is a hardcore slashdotter.

Wow...

[jpiggot]

..and the irony of the theft...is that pot dealers are anixously bidding for the laptop on Ebay, for a chance to sell weed to more than enough smokers needed to put that down payment on that cool 50ft motoryacht they've been wanting.

I kid because I love. What other university lets you major in "crispy" ?

Yeah, but what's the thief gonnado with it?

[91degrees]

Identity information is only useful to people who know how to perpetrate identity theft. If this crook knew how to do this the chances are he'd already have looked. And he has to realise that it is the laptop he stole.

It's a problem if he knows this and knows someone who knows what to do with the data, but at least with disclosure the victims know they are at risk.

My identity stolen?

[anthony_dipierro]

No, my identity may have been copied, but my identity certainly wasn't stolen.

Re:My identity stolen?

[anthony_dipierro]

Bill Gates SSN is 539-60-5125. That is public knowledge and has been for years (his address is too). Now do you think he's lost his house or has any trouble using credit cards?

How would you lose your house due to bad credit anyway? Once you've been approved and bought the house, as long as you make payments, you're not going to get your house taken away no matter how bad your credit becomes.

Can you say "Irony"

[tomhudson]

SISS, UC Berkeley - Social Security, Driver's Licenses, and California ID Cards [berkeley.edu]

Social Security Number Safety

Although a SSN is only meant to be used for tax and government purposes, it is often used by financial institutions, businesses, and others as a unique identification number. Because the SSN is a unique ID, it is often the target of "identity theft". Therefore you should be very careful about where and to whom you give your SSN.

• Never carry your Social Security card or number with you. Keep it at home in a secure place.
• Only give your SSN to someone who has a specific and legitimate need for it.
• Be very careful with any forms, applications or other materials that may have your SSN on it.
• Never give your SSN to someone who phones you. You should initiate the call or meet in person.
• Never reply to email or web sites that request an SSN.

Gee, too bad they don't follow their own advice to "be careful". Guess they haven't quite gotten the hang of that "intarweb thingee" yet.

Why does the notifcation have to be public?

[vrimj]

Unless they have no idea what specific data was involved why not just send these people a letter?

As I read the law personal notifcation is not only allowed it is prefered. The complants about "now the theves know they have something valuable" seems like it is more a result of the choice to hold a press conferance and save the cost of a lot of stamps.

Re:Why does the notifcation have to be public?

[WebHostingGuy]

I think it really doesn'y matter. As soon as someone gets the notification someone will tell the press. Also, by releasing it out you control the story and timing. There is no way a story about a large university losing this data would stay out of the media.

Re:Why does the notifcation have to be public?

[Life2Short]

Send a letter where? I was at Berkeley '94-95. Since then I've lived in London, Western MN, San Francisco, and NC. Since the data includes people who got degrees in the '70s, they might not be too easy to track down.

At Least It's Not Arrogance

[mirio]

Well, during my undergrad years at an unnamed university...oh what the hell...The University of West Georgia [westga.edu], I worked in the ITS department on campus which was responsible for all the applications in our internal system called Banner (a big freaking waste of money for an Oracle Forms application..but that's another discussion for another day).

Anyway, my role was to prepare reports for various people around campus. For example, if a student organization required a given GPA for membership, their faculty advisor could request a report of all students meeting the criteria.

The thing that most amazed me when I started working there was the complete lack of respect for people's social security numbers and birthdays. Any professor on campus could get pretty much any information he or she wanted.

Even more brazen than this activity was the infrastructure on campus. Every user ran their applications over a telnet session. Yes....telnet. I demonstrated to my boss how easy it was to run a packet sniffer and catch social security numbers as they went across the wire..but all my concerns fell on deaf ears. I also showed them how SSH could be used as a direct replacement for telnet but again...no one seemed care.

I then wrote a letter to the editor of the University's only newspaper describing the lack of respect for peoples' personal information, but the letter was never published. When I e-mailed the student editor and asked why my letter wasn't published, she said she was asked by the administration not to run it.

I graduated in 99 so I'm not sure if any changes have been made. I would love to know.

Re:At Least It's Not Arrogance

[emotionus]

I'm a undergrad student now. Currently not declared.

Anyways, who should I go talk to? I also know a CS gradstudent here.

I could give my liberal hippy friends soemthing to protest about on campus.

Re:At Least It's Not Arrogance

[Skater]

When I was a teaching assistant at the University of Georgia, we were given the SS# of every student in our class. I never once used them, and I would've strongly preferred not to have them at all. Also, we were never given anything saying, "Hey, this information is confidential and should be treated with care." (I know that's obvious to you and I, but it's not obvious to everyone.)

The only reason I could see for us having SS# was that without them we were relying on names to be unique within a given cla

Re:At Least It's Not Arrogance

[Fancia]

Dear Goddess, that school uses Banner and doesn't even bother to use its own ID system? o.o; My school uses Banner, too (although I can't comment on the quality of the system - I'm on the student side, not the faculty/administration side), but they assign us specific Banner IDs that we use everywhere instead of SSNs or whatnot.

Too much

[QuietLagoon]

Why was that amount of personal data allowed to be on a laptop in the first place?

Re:Too much

[tuxette]

I was about to ask the same thing.

What a lot of "security officers" seem to neglect is that an important part of security is to make what one would want to steal physically difficult, even impossible, to do so. This would perhaps work as a last resort against other stupidities such as forgetting to encrypt or letting non-authorized persons in a restricted zone.

Incidentally, a laptop doesn't even need to be stolen. Call any train station or airline and ask them how many laptops are forgotten each day. Each week. Each month.

Nobody raises an eyebrow when they see someone carrying a laptop on a university campus. Someone trying to haul a big machine would draw more attention.

Why all on a latop?

[WebHostingGuy]

Why was all of this on a laptop?

Sensitive information should be placed in a central repository and then encrypted and guarded. The mere fact that someone can download this to a laptop shows that their mindset is that this information is just normal stuff like a word document. Before you can have true security organizations need to get this first.

Re:Why all on a latop?

[wrenhunt]

Exactly! The media is missing the point here too that not only that data was taken, but why was all this stuff on a laptop in the firstplace?

California Universities

[That's Unpossible!]

Is it just me, or is this like the third story of personal information being stolen from California universities recently? WTF is going on over there?

As an aside, my girlfriend lives in California, and someone opened a credit card in her name soon after she had sent in applications to several California universities applying for grad school.

Re:California Universities

[ahodgkinson]

• Is it just me, or is this like the third story of personal information being stolen from California universities recently? WTF is going on over there?

Nope, it's not just you. The same thing is going on everywhere else. It's just that in California they have a law [ca.gov] that requires disclosure when data gets out. (article describing law [securityfocus.com])

The reason you keep hearing about data leaking from Californian universities is because they actually follow the law, unlike some federal agencies [slashdot.org].

Re:California Universities

[JohnsonWax]

I work at a CA university, so I know the answer.

The answer is that CA passed a law a year ago that mandated notification of personal data theft (there's a list of data elements that trigger this) either directly to the individuals or publicly if that is not possible.

What you're seeing in CA is the first semi-proper accounting of how much data theft is taking place. The reason you don't see it in other states is that they don't have such laws, so it's not being disclosed. It most certainly IS still happeni

That's ok.

[RandoX]

I don't use my own identity anymore anyway.

Is it really irony?

[Sigma 7]

but the irony of California's mandatory notification law is that the thief may now know they have something even more valuable.

Unless there is going to be an unconditional format of the hard drive in question, either the thief or the fence (i.e. buyer) would have discovered the data eventually. Given that it's most likely an MS Access database, it shouldn't be too much of a problem extracting those numbers from the file.

In the event that difficulties are encountered, it's not too hard to find someone on the black market who will crack the information (e.g. brute forcing login passwords to gain access to whatever that follows.)

Any irony obtained by the law will only accelerate what would have occurred normally.

Colleges by and large don't respect privacy

[brontus3927]

When I was in college, to enter the dorms and other "sensitive" areas, you had to swipe your school ID. To purchase food on your meal plan, you had to swipe your ID. You could put money into a debit account to buy things on campus and select off campus stores (like the local gas station), and swipe your ID to use it. The ID sent unencrypted the student's SSN. Anyone with a POS card reader and access to a student ID could retrieve the SSN, and legal name (printed on the front of the ID).

If you lost your ID, it was a simple matter to go down to Student Accounts and get a new one for $10. But since the SSN is used as an ID, the old ID card couldn't be deactivated and the missing one could be used by whoever found it.

Thankfully, last year they switched from using SSN to a 12 digit ID number generated by the college. However, "lost" cards are still usable

Lawsuits?

[Quixote]

Seeing how lawsuit-friendly the US society is, why haven't more people sued these companies which "lose" private data?

If you just slip and fall on the grounds of a business, you can expect to make a couple 100 Gs for "mental suffering". Why not do the same here? People should get together and file class-action lawsuits left-and-right. Then watch the companies scramble to protect the data.

Don't get me wrong: I am dead against frivolous lawsuits. But the language of financial pain is the only language these businesses understand. "Morality" is a word that is not there in their lexicon.

You can't.

[EvilStein]

You're not "their customer" so therefore you have no recourse. See: ChoicePoint and the 145,000+ people they screwed over.

Poor devils.

[bobbuck]

Wow. These poor guys will be branded as Berkeley alumni for life.

Welcome back

[Alomex]

It's nice to see that Ian Goldberg is back to its old self.

Torrent?

[Cyn]

I can't seem to find it yet, anyone have it?

And the funny thing is...

[Chibi Merrow]

I took my GRE Saturday and Berkley was one of the schools I checked off to receive my scores... Ahwell, the thief will be long gone before my info gets there... ;)

Whoever lost the laptop should be liable

[blueZ3]

This kind of thing just ticks me off no end. Some Berkeley bureaucrat leaves a laptop in their car, which will no doubt result in 1000s of stolen identities, lives ruined, tens-of-thousands of wasted hours? and they?re likely not even going to get a slap on the wrist. Personally, I?d make any individual who is responsible for this kind of thing financially liable for damages. I?d also try them for criminal negligence and possibly for aiding and abetting fraud. Then I?d let each person who has their identity stolen take one swing at them with an aluminum baseball bat. Currently, there?s just no accountability for this type of thing.

You would think they could learn...

[MasterVidBoi]

This would be the *third* time that a University has 'lost' my personal information as an applicant, either for undergraduate or graduate applications, during the last 4 years.

Perhaps future applications should seriously consider refusing to provide a SSN until they make it though the admissions process.

I'm still waiting on real data privacy laws too, even if they are California only.

So what is the answer?

[Some Slashdot Reader]

So what is the answer? Consider the following:

-An application requires that the user be able to process personal data about clients.
-The Social Security Number and other "sensitive" data is required by US government.
-The application must work across a wide geographical area. The application is on PCs that although locked up in buildings, could be stolen.
-Regardless of connectivity the data application must perform all functions, access all historical records of the client. So it must have some sort of loca

Bunglers

[Doc Ruby]

There's an epidemic of identity theft across the country. Many thousands of American lives are being ruined overnight by theft and fraud. International crime syndicates, including the huge Russian and American mafias, are directly involved. Where's the FBI? Busy working on the Patriot Act to protect us from "terrorists". Thanks, Ashcroft, and, er, uh, who's that guy who replaced you this year?

Happened at my University too.

[Maul]

Last summer, I received a letter from the University I attended. They said that a computer system containing records for just about all current and former students had been compromised, and that it was possible our personal information (including SSN, etc.) had been stolen.

This is obviously not a unique situation.

Re:Identity data stolen from a private university

[tuxette]

UC-Berkeley is a state university.

Re:Identity data stolen from a private university

[Doctor Faustus]

The AC was probably thinking of Stanford.

Re:Identity data stolen from a private university

[Muttley]

umm, sir, Berkeley is a State University... University of California. It in fact might be one of the best public universities in the country, alongside UT Austin, UW Seattle, Georgia Tech, and that probably wraps up my knowledge of US Public Universities.

Trivia - who is the highest paid state official in California...?
The coach of the UCLA Football team.

Re:Identity data stolen from a private university

[chialea]

Perhaps I'm biased, but I'd have to rank Berkeley higher than those other schools. In CS, it's certainly ranked higher, though UW is reasonably close and Georgia Tech has been hiring well recently. In addition, Berkeley has hundreds of top-10 departments; virtually any discipline you can think of has a top-level department.

But hey, I went there as an undergrad and loved it, so I may well be biased.

Lea

Re:My college, too.

[deadweight]

"To get there, you have to go to a specific hallway, on a specific floor, in a specific building" Doesn't that describe ANY physical location inside ANY multistory building?