Through my tenure as a student at the University of Maryland from 2000 to 2004, my social security number also doubled as my student identification number. I'd use this number and a password whenever I logged into the college's online management system, Testudo, which I did for everything from course selection and monitoring grades to signing up for basketball tickets. (Go Terps! 2002 National Champs whooo!) I vaguely recall having the option to change my student ID number to something else, but neither I nor anyone I knew ever went to the trouble of doing so.
This state of affairs comes to my mind at the moment because of an e-mail I got earlier this week telling me that my alma mater 'was the victim of a sophisticated computer security attack that exposed records containing personal information.' My name, social security number, and birthday are likely part of a cache of nearly 310,000 leaked records belonging to students and staffers going back to 1998.
63,000 College Students Hacked at University of Central Florida. You may also like. Apple's 'Instant Notes' Is a Must-Have on Your iPhone or iPad. David Murphy. Today 9:00AM.
After reading the e-mail, I immediately reverted to journalist mode; surely a security breach of over 300,000 computerized student records was the kind of story that would be relevant to the readers of this site. When I consulted with Ars Security Editor Dan Goodin on how to cover it, though, the response was pretty lukewarm.
'Data breaches like these literally happen every day,' he told me, adding that a few hundred thousand data records is actually small potatoes in the computer security world. 'Bigger ones are in the millions or tens of millions.' Furthermore, many such breaches leak much more than just a social security number and birthday (see Target's recent credit card breach for just one example). Dan even mentioned how his data from the University of California, Berkeley had been similarly compromised roughly a decade previously.
I can accept all that as true, and the UMD breach might not be as newsworthy as I thought. But still, this happened to me. This is important!
A lot of people I know feel similarly. In the past few days, I've been contacted by at least half a dozen friends and acquaintances from my college days, some of whom I haven't talked to in months, about the data breach. Some just wanted to make sure I was aware of it, but others wanted to see if I could use my position as a Big Name Technology Journalist to get some answers and hold someone accountable here. A few other Maryland alumni, who probably gleaned my alma mater from the footer at the bottom of all my Ars Technica pieces, have sent in similar requests.
I only have bad news for these people. Even if these things weren't as depressingly common as they apparently are, what's done is pretty much done in this case. The university has put up an FAQ saying the cause of the breach is 'currently under investigation by the University of Maryland Police Department, the US Secret Service, and federal law enforcement authorities, as well as forensic computer investigators,' to determine 'how our sophisticated, multi-layered security defenses were bypassed.' I'm personally not holding out hope that we'll ever get the full story on precisely what oversight let the hackers in, any more than we do for most such breaches.
And what does the 'how' matter, really, in the end? Would it cause me to moderate my behavior in any way? I'm usually pretty careful with my personal data these days, but there are going to be some cases where I legitimately have to give personally identifiable information to institutions I trust, such as, um, a university where I'm taking classes. I suppose I should have changed my student ID number to something less significant all those years ago (not using your SSN as an ID is good advice in pretty much every situation). It's not clear that that would have protected me in this case, though, since both student IDs and social security numbers were collected in the breach, the University said. It should also be noted that the University took steps to make sure student ID numbers didn't default to student social security numbers starting in 2005.
I guess I could go off the grid entirely, or demand a detailed accounting of the security and privacy procedures of every single institution I interact with, but sometimes I just want to go to Target and buy some toilet paper with a credit card without having to worry that my entire identity may be at risk. That's obviously too much to expect in this day and age, when simply living in the modern world inevitably puts your information out there in places that hackers can get to. For all the times you're able to give fake information to groups you don't fully trust, there are going to be situations like this where your real data is necessarily out there and not perfectly secure. It's actually a bit heartening that the University's data was segregated enough so that 'no financial, academic, contact, or health information was compromised,' according to the FAQ.
At least companies and institutions seem committed to limiting PR damage by offering protection after the fact. The University is offering a free year of Experian credit monitoring (and ExtendCARE service after that) to everyone who was affected by its data breach, and my credit card company took the proactive step of replacing a card I recently used at Target with a new one before I even had to ask. El poder de tu mente leonardo ferrari pdf completo chile.
If these post-hoc fixes get expensive and frequent enough, maybe we'll start to see a more serious shift towards institutions investing in protecting personal information before it leaks out, rather than after. For the time being, though, I'm just going to have to get used to living in a world where a 14-year-old student record in a database somewhere can expose private personal data about me to the world.
Home > Avatar The Last Airbender
|