July 17, 2008
U. of Texas Contests Accusation of Personal-Information Disclosure
A watchdog Web site that monitors online disclosures of personal information has accused the University of Texas of making the private data of 2,500 students available online and easily accessible through a simple search on Yahoo.
The university said the Web site team, from SSNbreach.org, used sophisticated search methods unknown to lay people to find the personal information, The Daily Texan reported yesterday. So there was little risk of identity theft, officials said. But Aaron Titus, spokesman for SSNbreach.org, told the newspaper he was doing a routine search with Yahoo, using simple search terms such as “social security number,” when in January he stumbled upon 63 files posted by UT professors. The files contained 66 complete and 459 partial Social Security numbers, 17 dates of birth and more than a thousand addresses.
Mr. Titus notified the university of this information disclosure two weeks after his findings, but the center had already restricted the information 10 days earlier. This is the third time Mr. Titus found a lapse at UT.
The university, which told Mr. Titus in an email that there was “no evidence to indicate any malicious use” of the compromised personal information, only notified 41 students of the disclosure. The newspaper reports that Texas state law defines sensitive, personal information as certain data combinations, such as first name, last name and Social Security number. UT says that what Mr. Titus claims to be personal information “is not what the law requires to trigger a notification.”—Maria José Viñas
Posted on Thursday July 17, 2008 | Permalink |Comments
Commenting is closed for this article.
Previous: Computer-Science Courses Attract More Students
Next: American Library Association Unveils Slide Rule for Copyright Advice
Alamo Community College strictly regulates posting grades by SSNs. However, they still illegally use SSNs as ID #s for all students, faculty, and staff. Any employee with access to a database (i.e., most of them) can get thousands of SSNs easily. I wish the watchdogs would come look at this incredibly corrupt institution.
— Renae Jul 17, 04:56 PM #
Renae – Alamo is not alone. As one involved with moving an institution from use of SSN as ID (which MANY schools, agencies and other entities do) I can tell you it is an incredibly complex and expensive task.
— Lee Jul 18, 08:17 AM #
Hey UT … cite the law all you want, but you (your agents [professors]) posted personally identifiable information. How about doing what is right and alerting those whose information was exposed and “potentially” available for misuse? Let the “customer” decide if it is a problem or not. The article also cites a large number of “partial” SSNs — if it is the last 4 digits, this is widely used to verify identity when calling various organizations. A partial SSN is only slightly less problematic than a full SSN.
By the way, congratulations to UT for constructing a carefully worded CYA — “there was ‘no evidence to indicate any malicious use’ … “ As an analogy, I can state “there is no evidence that I cheated on an exam,” but that doesn’t mean I didn’t cheat. How about using a standard of “we are not certain whether this information was misused,” in which case you notify all parties. Further, if you only notified a small subset of the parties whose data was exposed, you haven’t sampled a wide enough population to make a valid conclusion.
UT stakeholders deserve more professional courtesy and respect.
— Kevin O Jul 18, 11:56 AM #