SSNafu Protests Go Digital
In response to a goofy mix-up in which five thousand of your names and social security numbers were posted on the Internet for 16 months, one student wishing to remain anonymous has posted a statement of disapproval/demand for change on Petition Online.
Students bothered by the incident (we hear there may be a few of you) are encouraged to sign the petition, which will later be emailed to Scott Wright, he of yesterday’s fateful email, Elizabeth J. Keefer (CU General Counsel), and Joseph A. Ienuso (Executive VP, Facilities).
Tags: housing, mishaps, protests, SSNafu
11 June 2008 @ 2:35 PM · 36 comments
on 
As one of the 5,000 people whose name and SSN may well be floating around in cyberspace, I don’t really blame Columbia for this, but I do find all this typical Columbian overly reactionary protestation to be amusing. Shit happens, and I don’t see how the university could reasonably prevent individuals from doing stupid things. The fact of the matter is that people with access to confidential information sometimes make mistakes with it.
All an institution can do is limit the number of people who can access that information and train them not to disclose it. I’d be shocked (and signing petitions) if that weren’t done at some level, but it seems like people are being a bit too quick to blame Columbia when the response so far has been rather generous.
Did you actually reading the petition, or are you just being a typical jackass who criticizes anything Columbia students do as “typically Columbian”? The petition is very reasonable and well written; furthermore, the fact that this is the second leak in just over a year indicates that Columbia significantly failed to address the root problem the first time. A demand by damaged parties for Columbia to alter its policies after repeated failure seems, actually, to be entirely reasonable.
I did read the petition, and while I liked that it was well-written and far from overdone, I chose not to sign because I don’t blame the university for one individual’s lapse in judgment. I don’t know whether the university is legally liable for the actions of the student, but personally I’m more upset at that individual for acting stupidly than I am at the university for failing to prevent it. However, not being vengeful, I don’t give a damn whether or not he is punished. It won’t change the fact that the numbers were posted. What other housing information has he posted, though?
It stands to reason that the university would have databases of SSN information and that certain employees might need access to them. Beyond instructing employees not to be dumbasses like this guy, what do you want the university to do? Add a module to the now-mandatory diversity seminars?
In my opinion, an employee made a mistake, the university did the responsible thing and notified all people concerned and took steps to help them manage the (very low probability) event of the SSNs being misappropriated, and will undoubtedly try to prevent this from happening again. I don’t see any reason to demand a list of what they come up with as a pacifier.
You should probably identify yourself as such if you’re affiliated with the petition’s author, by the way.
this have to do with diversity seminars? Don’t be an ass.
While I agree that it is somehow blaming the university, why do you think that transparency in the whole ordeal is a bad thing? I agree that Columbia is not able to micro-manage every retard that it employs (students especially), but the fact still remains that this is the second major breach of security in a few years and Columbia has done little to show it has improved itself. I don’t want to go to a school that is careless with my information…how do you know that people who handle sensitive info ARE trained correctly? My guess is you don’t and like someone said earlier are just being the anti-anti-Columbian douchebag for no real reason.
I agree with Ron Gejman, there is no reason anyone should be using our SSN’s in a mass distribution list like this. The only department I can imagine that needs them is Fin.Aid (and maybe the registrar as well) in these kinds of exports.
The individual in question appears to have posted other housing information online, which, doubtless, is in express violation of his contract with Housing.
The University is in many important respects (not the least being the legal respect) responsible for the actions of its employees. Consequently, the generosity which you have made note of may also be considered ‘ass covering,’ a distinction that has been debated in these pages before. While your analysis is not unprecedented, it is questionable.
I would encourage any petitioners to send a copy of the petition to the three individuals named above, in addition to signing the online petition. Their unis are available on Columbia’s home page.
you’re right… the petition is decently rational… which basically means it will be ignored by columbia…
who wants to hunger strike with me until columbia agrees to give me a lifetime supply of this silly credit monitoring thingy? that’s the real way to get results around here…
dogs and cats sign if they’re tired of being mistreated by their owners?
A pet-tition!
did anyone notice that one of the signatories is “Amanda Hugnkiss”?
Late move-out: $100/hour + $50/each late hour
Late bin return: $1,000,000
Key Replacement Fine: $50+
Housing Cancellation Fine: $100
Charge if your roommate leaves the room after you and makes a mess/breaks something: an equal charge of labor/replacement
Consequences if Housing fucks up their job, as they have consistently done over 3 years, jack shit. In the private sector, these incompetent bastards would have been fired 3 times over.
The university can and should take action to ensure that SSNs are never used outside of the financial context where they are needed.
Why does Housing export SSN data? My guess: because it’s as easy as a checkbox in their “export” form. It should be Columbia’s policy to restrict access to SSNs (and other information such as bank accounts, credit cards, etc) in mass exports. Instead, since we all have several internal unique identifiers, those should be used. UNIs and C00 #s are more than adequete for Housing and other needs.
just to further ron’s point:
WHY was this person able to export an excel file like this? usually such information is only available by searching through, not one transferrable file…
what is this a petition to do, aside from bitch? if you ask what will be done to prevent this in the future, the answer is simple:
we no longer have your ssn so we can’t lose it.
what else can you ask for?
i think the most responsible and mature thing to do would be to lynch the dipshit who posted our data “accidentally.” why, i ask, should we assume that this posting was innocent? it’s not such a stretch to imagine an unscrupulous student selling identities, wouldn’t be the first illegal transaction that has gone down on campus
columbia’s page on ssn security. fucking hilarious:
http://www.columbia.edu/cu/administration/policylibrary/policies/cuit/00bb9c6714dca2270114f656b5830003.html
a choice quote:
“The University’s policy is to protect Social Security Number (SSN) or equivalent data from unauthorized or unnecessary disclosure…”
“# eliminate unnecessary storage and use of SSNs in University documentation, practices and systems;
# eliminate the use of the SSN as the primary identifier at the University;…”
this policy, according to the website, was established june of last year.
I was able to access that page this morning.
Now it’s down. Can anyone confirm? Also, can anyone save the google cache for that page?
http://www.columbia.edu/cu/administration/policylibrary/policies/cuit/00bb9c6714dca2270114f656b5830003.html
The policy was enacted in June 2007. This information was posted in Spring 2007. Given the date of this posting, this isn’t the second time in a year that this has happened, it’s a discovery of a somewhat obscure website with an infraction dating back to the older, proven ineffective policy.
Hence, this petition is bitching.
actually, if you check the previous bwog post on this you’ll see there was a similar leak in april of last year, which presumably led to the june 2007 policy, which did nothing to prevent us from getting fucked.
the petition, which asks for a better and more transparent policy, is thus legitimate.
Right, last year’s leak occurred in April 2007. This Googlecode post was made around the same time (Spring 2007), though it was not discovered until recently. The new policy was put in place in June, in response to the first incident, and could not have prevented the as-yet-undiscovered prior posting of the googlecode file.
The reason the new policy did not prevent anyone from being fucked is that the fucking occurred prior to the policy; it’s only now that anyone realized the fucking had transpired. Understand?
If anything, the policy appears to have worked insofar as no one has posted SSN numbers online (to anyone’s knowledge) since June 2007.
It’s worth pointing out, again, that the information was revealed as leaked last year, but was not found on the internet and taken down until this year. It may well appear on the internet again. That sticky little problem demands a solution.
Anyone’s knowledge is a broad statement, when it refers only to your own knowledge. Your knowledge is, in this case, trivial. There are other people who could do a lot of damage with 5,000 social security numbers, and they don’t need to do it tomorrow.
You’re confused. The “leak” was a separate incident in April 2007. This was a previously unknown situation involving a different set of SSN numbers, which were leaked/posted online in Spring 2007 and then discovered this week.
“Anyone’s knowledge” in my original post, if you go back and read it, refers to the fact that no one has found any other such leaks, not that they as a rule do not exist.
I don’t claim any special knowledge of leaks or lack thereof, I merely wished to point out that there have not been any (discovered, or “known”, i.e. “to anyone’s knowledge”) further leaks since the new security policy was instated in June 2007.
I’m not confused at all. My social security number was released on both occasions, from the same database and possibly by the same person. That’s quite enough for you and your legalese, troll.
I’m not a troll, dude, my name was on the list too. I just think this petition idea is stupid, because they already strengthened the policy in June 2007. This event happened before that — what don’t you understand about that?
Wow…yesterday I discovered someone emptied my bank account without my knowledge, and I wondered if it was related to this. Thanks, Bwog!
H-dad signed the petition!
Comment #16 was deleted because it contained the full name of a certain someone who asked for it to be deleted.
All future comments containing the name of that someone will also suffer the same terrible fate, so heads up everyone.
Price per John Jay Meal: $13
Tuition at Columbia: $50,000
Losing your SSN: Priceless
For everything else, there’s a guy using your mastercard.
To any vulnerable people out there, #27 is a SCAM email. One of many I get in my Columbia inbox.
so you said the person who posted it wished to remain anonymous, yet he/she used bwog@columbia.edu as their email address
85 total signatures so far… that’s sure to motivate columbia to do something about this problem…
lest future generations of CU students forget…
http://www.wikicu.com/Housing_SSN_scandal
http://www.wikicu.com/Image:FedColumbiaCartoon.jpg
…having your social security number posted on the internet is no joke. I can’t understand people who are trying to suggest that it’s not a big deal, or that Housing shouldn’t be held accountable for the actions of one of its employees. It’s as simple as that. I normally delete those campus-wide emails straightaway, but I kept this one.
signature 95.
Usually Bwog deletes the full names/contact info of students posted in the comments. I guess the people in charge of that must have had their SSNs posted online, too.
Not that I’m complaining, mind you. I also was a victim of this idiot’s douchebaggery. One can only hope that future employers Google him and this thread (and the other one) shows up, proving that he is incompetent to handle sensitive and private data.
We only delete full names if the person named requests that we do so.
Ball’s in Sven’s court.