While Public Safety clamps down on Columbia’s physical security, some students were alerted today to a breach in the university’s virtual defenses. According to an email they received, Housing and Dining accidentally exposed information from students’ housing files online for a period on April 2nd. “Exposure was limited,” the email goes on to say, “because there were no links to the files on any Columbia website and because the files could only be viewed with a Columbia University UNI and password and a specific type of software.” Still, many students’ Social Security Numbers were among the bits of information placed online.
In the wake of the incident, Housing and Dining has, it claims, attempted to limit further exposure of student SSNs. The files were, of course, removed from the website, and students affected were offered a year of free credit monitoring, or the ability to file fraud reports or run credit checks with various agencies free of charge, if they so choose. The administration is clearly doing much to ensure no further damage to students results from this incident. Though it has been attempting to move away from the use of SSNs, however, their presence on student datasets is still prevalent, and the security precautions needed to secure them clearly have some way to go.
The full email from Lisa Hogarty to affected students appears below the jump.
-CJS
April 17, 2007
Dear [Student]:
On April 2, Columbia University’s Housing and Dining department was informed that three archival database files containing the housing information of some current and former students were inadvertently placed on a Columbia web server. Exposure was limited because there were no links to the files on any Columbia website and because the files could only be viewed with a Columbia University UNI and password and a specific type of software.
I am sorry to inform you that your name and Social Security number were included in one of the files. Please be assured that Columbia Public Safety investigators have concluded that this security breach was unintentional. No financial data was included in the files in question, and we have no evidence of wrongdoing or identity theft. Still, I wanted to advise you of this occurrence and the actions we are taking to reduce the chance of a future breach.
Information security is a serious issue for us, as we know it is for you. The above-mentioned files were immediately removed from the web server. Moreover, in the wake of this incident, Columbia Housing and Dining has taken steps to eliminate the use of Social Security numbers from its systems, both in room selection for current students and in its archival files.
As an additional precaution, Columbia has arranged for you to receive a free one-year subscription to a credit monitoring system. This service will provide you with a copy of your credit report, monitor your credit files at all three major credit bureaus (Equifax, Experian and Trans Union) and notify you of certain suspicious activities that could indicate identity theft. You will be mailed additional information about enrolling in this service in the next week.
If you do not wish to enroll in this service, you may still choose to activate a fraud alert with the major credit bureaus, or periodically run a credit report to look for potential irregularities and ensure that no new accounts have been activated in your name. Each agency has an automated fraud alert process. If you activate a fraud alert, the agency you contact will notify the other two agencies so that those agencies also can place fraud alerts on your accounts. In addition, each agency will provide you a copy of your credit report at no cost. The contact information for the credit agencies is as follows:
Equifax – (800) 525-6285 – www.equifax.com
Experian – (888) 397-3742 – www.experian.com
Trans Union – (800) 680-7289 – www.transunion.com
If you should have any questions or comments, please contact a member of my staff who will be able to address your concerns, Peter Cole, by calling (212) 851-2496 or by emailing studentservices-assist@columbia.edu.
Sincerely,
Lisa Hogarty
Executive Vice President
Student and Administrative Services
25 Comments
@fraud-ed My email comes from Scott Wright:
…
If you should have any questions or comments, please contact us by calling 1(888) 882-7331 or by emailing studentservices-assist@columbia.edu .
Sincerely,
Scott Wright
Vice President
Student Auxiliary & Business Services
@Ron Gejman Whoops, posted on the old thread!
@Ron Gejman The SAME thing happened last year – and Bwog even covered it: http://bwog.net/index.php?page=post&article_id=3498
Same email address, but different phone number.
I did a lookup on the 888 number (http://www.customtollfree.com/toll-free-reverse-lookup.html) and found it registered under Paetec Communications. I thought, perhaps this is Columbia’s “registrar” for 888 numbers? So I tried finding other Columbia 888 numbers by searching on Google for “888” under columbia.edu. No luck, so no way to find out if Columbia uses Paetec.
The email headers look ok though… The email is being sent via a Columbia server.
@Anonymous In order to protect yourself from identity fraud and name theft, you must carefully protect your personal records, and pursue online activities with caution. There are a number of things you can do in your everyday life to prevent identity theft and
identity safety
@Speculator Bwog, I think the leaked information was in the same directory as the group selection housing times. I remember looking in that directory for the “priority” sorted list because housing only posted the alphabetical one. They neglected to turn off directory listing, and that folder did in fact have some Microsoft Access database files in it. The “specific type of software” they’re talking about is Microsoft Office Access, which is available in every campus computer lab.
I don’t think anyone’s going to get their identity stolen as a result of this, because H&D can quite easily produce a list of the people who downloaded that file (you had to log in with your UNI to see that directory), and haul those people in for questioning should anything happen with this data.
That said, someone should be fired for being dumb enough to put student information in a locally-stored MS Access database [and then putting it up on the web!]. That data should have been stored on a dedicated, secure database server, not a Windows PC in someone’s office. No one should be using a computer containing such sensitive data for their day-to-day web browsing and bullshit.
To those of you who had your SSNs compromised: talk to a lawyer. This is negligent behavior, and at the very least, the moron responsible for the complete disregard of the integrity of your data should be passing his SSN in plaintext to the unemployment office.
@credit monitoring Alums get it. It said so in the email I got.
@annoyed alum Free credit monitoring might not be much, but Columbia offered no compensation whatsoever to the alums whose info was also listed on the site . . . when my bank account gets emptied by an identity thief, I just guess I won’t be able to make my donation to the alumni fund . . .
@international This is why I’m glad Columbia issued me with a fake social. I don’t give two shits if someone steals it, won’t do them any good(as I found out freshman year when I attempted to give it to citibank to get a free tshirt)
@cc08 Yes, me too! I’m an international student, so Columbia identifies me using an alternative number, something like 000032917. I also have a government-issued SSN, but I only use that when dealing with the government and trustworthy private firms like my bank. There’s no way I’m going to tell Columbia about my real SSN, at least if I have any say in the matter!
@i was so mad about this and called my parents. they were like oh yea, our numbers and your sister’s were released when someone stole computers from the local hospital.
my mother added that my case wasn’t as serious, seeing how i don’t actually earn any money for the family. thanks mom.
@I think that we should require all administrators to put their own personal data at the very top of every database they maintain.
I think that this idea is logical, clear, level headed, easily implemented, and totally realistic.
@so... when will our SSNs be removed from our CUIDs so we can finally get the ball rolling on flex off campus?
@flex off campus can be a reality as soon as next year! Vote [insert shitty candidate for some student govt. position here]!
Shame on every candidate who has ever, ever used that, air conditioning in John Jay, “better advising,” etc. as a campaign promise.
@Erf “off campus can be a reality as soon as next year! Vote [insert shitty candidate for some student govt. position here]!
Shame on every candidate who has ever, ever used that, air conditioning in John Jay, “better advising,” etc. as a campaign promise”
Do understand that most people who first run for council don’t know the state of affairs for most of these issues.
Even within councils, year-to-year transfer and perpetuation of knowledge like the current state of the SSN replacement process is a problem. Every new would-be candidate has a lot to learn before they can really know whether their candidacy goals are realistic.
@what the councils were told is that new ID cards without the SSN will roll out next year and by spring 2008 the entire system will not be using SSNs any more. no guarantee that is true, just what we were told.
@meh my identity was compromised. but, do you think i could ask columbia to pay my $98 library fee instead of the free credit checks so i can graduate? eh? probably doesn’t add up to $98, but still, they compromised my identity,so they can at least pay for absented-mindedness instead of their own.
@jay Honestly, there’s zero excuse for this. How many times in the last year have we seen reports of student SSNs being exposed at universities? How many times have we read about identify theft taking place due to the carelessness of administrators? The fact of the matter is that the university is *not* being proactive; if they were proactive, this never would have happened in the first place. That’s like calling FDNY “proactive” for coming to your building with hoses to put out a fire once it’s started.
@umm isn’t that the FDNY’s job? how much more proactive than that could they be? bad analogy.
@jay The point I was trying to make is that some fires shouldn’t get started in the first place. Just because someone appears to be doing a good job of responding to an incident, that doesn’t take away the fact that it never should have happened to begin with. There’s zero reason for Housing & Dining to be maintaining files with the names and SSNs of students who graduated two years ago, and it’s absolutely inexcusable that information like this isn’t secured better. This isn’t the university being proactive, this is the consequence of the sheer laziness of university officials, who should have purged this information from any internet-connected computers a long, long time ago.
@WTF It’s only been 4 years since they figured out our SSN’s are exposable. Glad to see they’re moving rapidly to protect us!
FUCKERS. I’m sorry Moph, there’s NO EXCUSE for this kind of ridiculousness.
@stupid leftists the socialist administration at Columbia thinks it can just reveal our SSNs so that worthless miscreants will still our hard-earned wealth. this will not stand!
@less stupid Hard earned wealth? We go to columbia..who are you kidding?!
@i'm so sick of everyone stereotyping columbia students as spoiled-by-mommy-and-daddy rich bastards. some of us actually worked hard to be able to pay for this school.
@Erf Great that they’re being extremely proactive about rectifying the situation.
What this email and Bwog post don’t indicate, however, is that Student Services began some time ago to revamp their IT systems to eliminate the use of SSN as an identifier.
@Bwog Thanks, commenter, we forgot about that. Amended.