While Public Safety clamps down on Columbia’s physical security, some students were alerted today to a breach in the university’s virtual defenses. According to an email they received, Housing and Dining accidentally exposed information from students’ housing files online for a period on April 2nd. “Exposure was limited,” the email goes on to say, “because there were no links to the files on any Columbia website and because the files could only be viewed with a Columbia University UNI and password and a specific type of software.” Still, many students’ Social Security Numbers were among the bits of information placed online.
In the wake of the incident, Housing and Dining has, it claims, attempted to limit further exposure of student SSNs. The files were, of course, removed from the website, and students affected were offered a year of free credit monitoring, or the ability to file fraud reports or run credit checks with various agencies free of charge, if they so choose. The administration is clearly doing much to ensure no further damage to students results from this incident. Though it has been attempting to move away from the use of SSNs, however, their presence on student datasets is still prevalent, and the security precautions needed to secure them clearly have some way to go.
The full email from Lisa Hogarty to affected students appears below the jump.
April 17, 2007
On April 2, Columbia University’s Housing and Dining department was informed that three archival database files containing the housing information of some current and former students were inadvertently placed on a Columbia web server. Exposure was limited because there were no links to the files on any Columbia website and because the files could only be viewed with a Columbia University UNI and password and a specific type of software.
I am sorry to inform you that your name and Social Security number were included in one of the files. Please be assured that Columbia Public Safety investigators have concluded that this security breach was unintentional. No financial data was included in the files in question, and we have no evidence of wrongdoing or identity theft. Still, I wanted to advise you of this occurrence and the actions we are taking to reduce the chance of a future breach.
Information security is a serious issue for us, as we know it is for you. The above-mentioned files were immediately removed from the web server. Moreover, in the wake of this incident, Columbia Housing and Dining has taken steps to eliminate the use of Social Security numbers from its systems, both in room selection for current students and in its archival files.
As an additional precaution, Columbia has arranged for you to receive a free one-year subscription to a credit monitoring system. This service will provide you with a copy of your credit report, monitor your credit files at all three major credit bureaus (Equifax, Experian and Trans Union) and notify you of certain suspicious activities that could indicate identity theft. You will be mailed additional information about enrolling in this service in the next week.
If you do not wish to enroll in this service, you may still choose to activate a fraud alert with the major credit bureaus, or periodically run a credit report to look for potential irregularities and ensure that no new accounts have been activated in your name. Each agency has an automated fraud alert process. If you activate a fraud alert, the agency you contact will notify the other two agencies so that those agencies also can place fraud alerts on your accounts. In addition, each agency will provide you a copy of your credit report at no cost. The contact information for the credit agencies is as follows:
If you should have any questions or comments, please contact a member of my staff who will be able to address your concerns, Peter Cole, by calling (212) 851-2496 or by emailing firstname.lastname@example.org.
Executive Vice President
Student and Administrative Services