Jun

10

Hilarious Housing & Dining Social Security Number Mishap

Written by

One recent grad forwarded Bwog the following email, which contains some bad news for the unluckiest 5,000 of you. Apparently, housing information that included names and social security numbers was accidentally posted online by a former student employee in February 2007. 

Housing & Dining is very sorry, and has even bought you and your probably-stolen social security numbers an apology gift to make it up to you: “As an additional precaution, Columbia has arranged for you to receive a free two-year subscription to a credit monitoring service, Identity Guard CreditProtectX3SM. This service will provide you with a copy of your credit report, monitor your credit files at all three major credit bureaus and notify you of certain suspicious activities that could indicate identity theft.”

Full email after the jump.

UPDATE 11:32 PM: One Bwog operative calling himself “Person who’s SSN was exposed” has located via Google cache the Excel document that used to contain the SSNs and names in question. According to the aforementioned operative, the Excel document was created apparently in relation to “a HW for CS4733, aka ‘Computational Aspects of Robotics.'” Also, the Spec has published the story.

UPDATE 11:11 AM: A Bwog writer and SSN victim just called Student Services and the email is not, in fact, a scam.  Sorry folks.

———- Forwarded message ———-

From: Student Services Assist <[email protected]>

Date: Tue, 10 Jun 2008 19:25:55 -0400

Subject: Important Security Information

To: [redacted]

June 10, 2008

[Home address of recipient redacted]

 

“Dear [Redacted]:

On June 3, Columbia University’s Housing and Dining department was

informed that one archival database file containing the housing

information of approximately 5,000 current and former undergraduate

students was found on a Google-hosted website. Google removed this file,

at our request, that same day.

Columbia Public Safety investigators have concluded that this security

breach was unintentional. No financial data was included in the file in

question, and we have no evidence of wrongdoing or identity theft. It

appears that the file was inadvertently posted by a former student

employee in February 2007. Nevertheless, it is important for you to be

aware that your name and Social Security Number were included in the file.

We are very sorry for this occurrence.

Information security is a serious issue for us, as we know it is for you.

Columbia University is continually strengthening its measures to protect

Social Security Numbers where they are required in our systems. Housing &

Dining manually eliminated Social Security Numbers from its online room

selection process and contracts in April 2007. Further, in spring 2008,

Columbia Housing and Dining implemented a new software system to manage

and improve the housing assignment, contract, and billing processes which

also does not use Social Security Numbers. Unfortunately, this file was

uploaded prior to when these changes were made.

As an additional precaution, Columbia has arranged for you to receive a

free two-year subscription to a credit monitoring service, Identity Guard

CreditProtectX3SM. This service will provide you with a copy of your

credit report, monitor your credit files at all three major credit bureaus

(Equifax, Experian and Trans Union) and notify you of certain suspicious

activities that could indicate identity theft. You will receive additional

information about enrolling in this service in the next week.

If you do not wish to enroll in this service, you may still choose to

activate a fraud alert with the major credit bureaus, or periodically

request a credit report to look for potential irregularities and ensure

that no new accounts have been activated in your name. Each agency has an

automated fraud alert process. If you activate a fraud alert, the agency

you contact will notify the other two agencies so that those agencies also

can place fraud alerts on your accounts. In addition, each agency will

provide you a copy of your credit report at no cost. The contact

information for the credit agencies is as follows:

Equifax – (800) 525-6285 – www.equifax.com

Experian – (888) 397-3742 – www.experian.com

Trans Union – (800) 680-7289 – www.transunion.com

We sincerely apologize for the inconvenience this has caused you. Please

know that we take the protection of your identity seriously. We are

confident that the changes we have made since this file was posted have

made all students and alumni safer.

If you should have any questions or comments, please contact us by calling

1(888) 882-7331 or by emailing [email protected]

(mailto:[email protected]).

Sincerely,

Scott Wright

Vice President

Student Auxiliary & Business Services”

Tags: , , , ,

130 Comments

  1. Ha...  

    Columbia strikes again. Might as well tell us we've all caught meningitis and give us a "Cold Packet" as compensation.

  2. FREE!

    I'm all for free stuff. Hopefully I wasn't among the 5,000, though.

  3. CC'09  

    Why do current students not get a 2 yr subscription to that? Wtf?

  4. how do we know  

    if we were among the 5000?

  5. hate

    this school. hate it. You probably know you were among the 5000 if you got an email telling you so:

    "Nevertheless, it is important for you to be
    aware that your name and Social Security Number were included in the file."

  6. CC 07

    Since Columbia issued me a fake SSN due to my lack of one, joke is on anyone that tries to use it.

  7. I love that...  

    they had the file removed the day it was discovered. Good Work, although this quick action was somewhat trivial since it had been up for 16 MONTHS PRIOR.

  8. And

    It's such a good job that they went to the trouble of making the IDs without SSNs on them, and waited for off campus flex, give that for the past year and a half everyone's SSNs were apparently readily available!

  9. who loves how

    they wait to tell you until the end of the second paragraph? as if to prepare you for the blow, that you identity has been posted for the world's leisurely viewing.

    well, as a fellow poster has commented, free stuff is nice. even if it means that, because my identity has been stolen, my fake self out selling stolen cars somewhere will be using the loot instead of me.

  10. wtf

    how do we know that this email isn't a fraud??

  11. this annoys me

    farking columbia

    even the adorable lolcat doesn't make up for the fact i'm going to have to check my credit now

  12. DHI

    Fuck this, man.

    I don't give a shit if they know my "housing information." Some asshole comes to where I live, well then at least I got a chance.

    But social security number, damn.

    Whose fucking idea was it to have some number that fucks you over if it goes public and makes it hard to get jobs if it ever changes?

  13. DHI

    I am at work right now making money for some identity thefter.

  14. Legal  

    Is there any kind of legal action we can take? Columbia has done this before, done it now, and will do it again. Any thoughts?

  15. the cute lolcat

    makes me feel somewhat better.

  16. Well

    If this is spam I would actually be even more freaked out given that it had my home address at the top.

    • Actually

      It has my old home address at the top of it, as I did in fact change it on SSOL. So I am leaning towards this being spam but also being somewhat true, because I have no idea where else someone would have gotten my uni and old home address unless there was some kind of security breach.

      • And finally

        the email I got was different to the one posted on Bwog...it didn't tell me I had a free subscription to anything:


        'As a precaution, we recommend you activate a fraud alert with the major credit bureaus, or periodically request a credit report to look for potential irregularities and ensure that no new accounts have been activated in your name. Each agency has an automated fraud alert process. If you activate a fraud alert, the agency you contact will notify the other two agencies so that those agencies also can place fraud alerts on your accounts. In addition, each agency will provide you a copy of your credit report at no cost. The contact information for the credit agencies is as follows:

        Equifax – (800) 525-6285 – www.equifax.com
        Experian – (888) 397-3742 – www.experian.com
        Trans Union – (800) 680-7289 – www.transunion.com '

  17. DHI

    If this is a scam, what you supposed to be doing?

    I ain't doing shit but complaining. If me complaining made anybody money, somebody would be rich.

  18. Ron Gejman

    The SAME thing happened last year - and Bwog even covered it: [ external link to bwog.net ]

    Same email address, but different phone number.

    I did a lookup on the 888 number ( [ external link to www.customtollfree.com ] and found it registered under Paetec Communications. I thought, perhaps this is Columbia's "registrar" for 888 numbers? So I tried finding other Columbia 888 numbers by searching on Google for "888" under columbia.edu. No luck, so no way to find out if Columbia uses Paetec.

    The email headers look ok though... The email is being sent via a Columbia server.

  19. Mariam Abacha

    CONFIDENTIAL

    Dear Sir,

    Good day and compliments. This letter will definitely come to you as a huge surprise, but I implore you to take the time to go through it carefully as the decision you make will go off a long way to determine the future and continued existence of the entire members of my family.

    Please allow me to introduce myself. My name is Dr. (Mrs.) Mariam Abacha, the wife of the late head of state and commander in chief of the armed forces of the federal republic of Nigeria who died on the 8th of June 1998.

    My ordeal started immediately after my husband's death on the morning of 8th June 1998, and the subsequent take over of government by the last administration. The present democratic government is determined to portray all the good work of my late husband in a bad light and have gone as far as confiscating all my late husband's assets, properties, freezing our accounts both within and outside Nigeria. As I am writing this letter to you, my son Mohammed Abacha is undergoing questioning with the government. All these measures taken by past/present government is just to gain international recognition.

    I and the entire members of my family have been held incommunicado since the death of my husband, hence I seek your indulgence to assist us in securing these funds. We are not allowed to see or discuss with anybody. Few occasions I have tired traveling abroad through alternative means all failed.

    It is in view of this I have mandated DR GALADIMA HASSAN, who has been assisting the family to run around on so many issues to act on behalf of the family concerning the substance of this letter. He has the full power of attorney to execute this transaction with you.

    My late husband had/has Eighty Million USD ($80,000,000.00) specially preserved and well packed in trunk boxes of which only my husband and I knew about. It is packed in such a way to forestall just anybody having access to it. It is this sum that I seek your assistance to get out of Nigeria as soon as possible before the present civilian government finds out about it and confiscate it just like they have done to all our assets.

    I implore you to please give consideration to my predicament and help a widow in need.

    May Allah show you mercy as you do so?

    Your faithfully,

    Dr (Mrs.) Mariam Abacha (M.O.N)

    N/B: Please contact Dr Galadima Hassan on this e-mail address for further briefing and modalities

  20. Yeah  

    So who wants to call the number and see what it says?

    Also, the mailing address at the top makes me suspicious. And finally, what website was this on that was hosted by google? Blogger, docs, in the achieves? where?

  21. Ron Gejman

    I called. It goes to a voice mailbox for "Student Services" and says they are in only from 9-5.

  22. Ron Gejman

    Also "if you are calling in regards to the recent security incident, please leave your name and phone number, blah blah."

    What is the real number for SS? Is it the same message?

  23. rmb

    When did you change your home address? Before or after February 2007?

  24. Kubler-Ross

    Can't wait till we reach the 2nd stage!

  25. ss#  

    it's real. for the people who got the e-mail, if you do a search with your SS# the google doc pops up.

  26. ss#  

    I also want an explanation for why an employee used a confidential database for a school project. Talk about a lawsuit waiting to happen...

  27. ss#  

    i just entered my number directly: 123456789 (no thats not my actual SS#). It was the last link on the bottom of the google search page.

    • i get

      a bunch of web sites in foreign languages also. hah, i wonder if my number is all over the web being used by dirtbags, or maybe i'm just paranoid.

    • confused

      Hmmm...I got the email (albeit the alternate version without the free two-year offer Identity Guard Creditprotect) and a google search of my SSN turns up nothing. A couple of points I don't understand:

      - Why is Student Services sending two versions of the "apology" email with varying offers? Does this have to do with the fact that I am an alumn or are they sending some kind of email to everyone regardless of whether their SSN was included in that file or not?

      - Why was some student employee using sensitive data for some stupid comp-sci project?

      • as an alum

        I got an email with the free two-year offer.
        As a technically minded alum, if this turns out to be true (it already looks 50% legit, as my SSN does produce a result on Google), I intend to get to the bottom of this, and encourage any like-minded individuals to do so as well. Whichever retard did this deserves to have every bone in his hands to be broken.

  28. Ron Gejman

    I guess I'm lucky. I only get iTunes Music Store record identifiers for my SSN!

  29. new numbers

    You can get new social security numbers, though it may require evidence that yours is being used by someone else. Not sure if this incident would allow us to get new numbers if we wanted to, but maybe.

  30. also confused  

    - How the hell is there no wrongdoing? Our SSN#'s were posted online since Feb.

  31. i find it

    hard to believe some computer tech savvy guy didnt find this a hell of a long time ago.

    16 months? just dont buy it.

  32. someone

    inside google is now saving every 9-digit search and cross referencing it with a database of columbia students.

    Just their next step in taking over the world.

  33. Google

    This is what shows up on the bottom of the search apge when I Google my SSN (no dashes or spaces):

    http://i28.tinypic.com/2ey8h9e.jpg

  34. there's

    an easy way to put the debate about the legitimacy of the email to rest: our eager reporters here call Scott Wright and ask him directly whether he or his secretary sent this thing

  35. umm.  

    "Person who's SSN was exposed"?

    come, now.

  36. the Man '07

    This seems suspicious....
    http://blogs.tampabay.com/schools/2008/06/oops-uf-posts-s.html

    What are the odds of UF having a student "accidentally" post SSN's and addresses online.... Methinks this may be a recurring scam

    • ...  

      my social security number is the cell phone number for a crane operator in the czech republic! no joke!

      here's the deal. you guys sue columbia and i'll sue the crane operator! i'd say that both our cases have an equal shot at winning!

  37. This is infuriating

    Doesn't anyone want to do anything about this? Class action lawsuit? I do.

  38. cc07

    I didn't even get the email. I had to call, and they told me that my SSN was posted. Even if you didn't get the email, you might want to call them just to check.

  39. EAL

    Unbelieveable. Just got the e-mail this morning. What a great way to start the day.

  40. I agree

    I do as well...lets get a petition going or something...lets find out if its real or not first though.

  41. ....

    i seriously feel like we are entitled to some sort of legal/financial recourse. Thoughts from the bwogosphere?

  42. Well

    Since the file is 'beds_roster_0607' I am going to assume that anyone living in Columbia housing that year is on it? Also, WHY were two different emails sent out, one with the free subscription and one without?

    Bwog, please investigate

  43. unfortunately

    As of now we have no damages to claim in order to bring a suit against Columbia, nothing has happened, as infuriating as it is.

  44. another "victim"

    Yeah I don't think a lawsuit is the way to go. That is unless someone did steal your identity in the past year and somehow destroyed your credit. I just got a free credit report online and there isn't anything on there that shouldn't be. I suggest others do that too since who knows how speedy columbia will be with the credit monitoring service.

  45. probably

    You can probably sue them for negligence and failure to keep confidential items securely. Though the lawyers of CU are an unholy army.

  46. qqq

    Um, is a SSN technically confidential? It's used for so many things (the reason why it's useful for fraud) that it's hardly a secret. Is there a law requiring companies to protect personal information? If so, can the company be held liable for one employee acting individually, probably against the terms of his employment contract?

    • DHI

      "Um"
      Yes, I am pretty sure that it is "technically confidential," and that if you use your Social Security Number whoever you give it to has a responsibility to keep it confidential.

      It would be an unbelievably bad system if there was a number that functionally needed to be confidential, but nobody was required to treat it as protected information.

  47. fuck this school

    my SSN is not producing a google hit for the spreadsheet on its own or when i search for it together with beds roster. so hopefully this suggests the thing has been properly removed now? (though the fact that anybody managed to get the spreadsheet to come up means columbia was not as successful at instantly removing the material as the email claims.)

    also, SOMETHING FOR BWOG TO INVESTIGATE: is 2 years of credit-monitoring some kind of industry standard for what you need to be reasonably sure you're not going to take it in the butt from some identity thief? or is it just what columbia decided they could get away with as a way to placate the 5000 people they completely screwed over?

    also, why in god's name did a student employee even have access to a file full of SSNs to being with? it seems like when the email says columbia is committed to protecting our personal data, they really mean, "RECENTLY committed to it, to a degree that may or may not actually make up for the previous disregard for that same enterprise"

  48. can anyone check...

    to see if the spreadsheet's been cached on archive.org's way back machine?

    it usually saves those too... I'm sure columbia didn't bother removing it from other indexes *facepalm*

  49. if you google  

    cs4733 google code

    You will get three hits. Click "cache" under the first or second one and you discover the possible culprit (the project owner)

  50. if you google  

    the project owner, you discover that he's an athlete in SEAs. Figures.

  51. i don't care who

    but i'd like to see some heads roll for this. seriously.

  52. OF COURSE

    i know many CS ppl who use that information to make predictions about the housing lottery.

    though the SSN's are not useful for that purpose, the number of ppl living in those suites are useful...

  53. ss#  

    by the way - has anyone thought about what this mishap will cost CU? Credit protection is 12.99/month x 24 months x 5000 student =1.5 million. Even with a bulk discount this has gotta be costing Student Services >1mil

  54. alexw

    I'm taking their shitty credit protection scam bullshit just so I will cost the incompetent pinheads as much money as possible.

    You should do the same.

  55. Important Point

    While it's clear that Google has taken down the Googlecode page for the class project at this point, it's less clear to me that the googlecode files were publicly accessible. Do we know for sure that output.xls was actually downloadable without a login? Plus, it was downloaded only 4 times, i.e. perhaps only by members of the project itself? Moreover, if the code repository required a google account for access, there'd be a pretty clear record of who downloaded the file, no? With only four downloads, conceivably even if it were publicly accessible, Google at least has IP information if not Google Account information of those individuals. 16 months or not, I'm not yet sure this information actually got into the wrong hands.

  56. There is no...  

    honest mistake to all this. Who in their right mind would EVER use confidential such as SS numbers for something as trivial a SCHOOL PROJECT? And has the gall to post it ONLINE?

    This is just pure, blatant idiocy, plain and simple. Apparently instead of using random name and number generators, the person/party in question decides to use people's ACTUAL names and ACTUAL SS numbers...and saw no potential ramifications for this.

    And its great that its now known that we get two years of credit protection. That way, when the two years runs out, then 5000 of us can go right back to having our identities stolen. What a way to blow a couple million dollars.

    Fuck Columbia. Fuck the idiot who put us in this position in the first place.

  57. anyone else

    get tapped by the NY post and asked to comment/forward them the email?

  58. no response?

    Has anyone else tried emailing address Scott Wright included in his "apology?" I sent a message expressing my frustation with this fiasco and a request that the University offer the free, two-year trial of IdentityGuard CreditProtect to ALL THOSE AFFECTED, not just the handful of lucky "victims" that got this generous gift. It's been about 36 hours and I haven't heard a peep from Columbia.

  59. Is there a way

    that we can completely eliminate the necessity of SSNs as identifiers except when *absolutely* necessary (e.g. finances)? We have other ways of being identified - UNIs, CUID numbers - and I feel like the phasing out of SSNs as identifiers should have been done long ago. But again, Columbia is years behind. Maybe this little mishap will whip them into shape.

    • been done  

      yep. it's been done. the switch was completed by september 07 with the new id cards. it makes whining about "change" somewhat difficult when the "change" has now already been done, but this file was from before the switchover

  60. Juli

    Two comments were deleted because they contained the full name of a certain someone who asked for them to be deleted.

    All future comments containing the name of that someone will also suffer the same terrible fate, so heads up everyone.

  61. Alum

    I'm a little surprised that the guy responsible hasn't issued an apology or explanation for his actions, even an anonymous one, rather than just hiding behind the official email. Given the potential impact of his actions on those of us listed in the document, it doesn't seem like too much to ask.

    • perhaps

      Maybe he doesn't know he's being lynched on Bwog right now? Not everyone reads this thing, you know.

      • meh  

        probably the case. Apparently, BWOG only deletes posts with your entire name if you request it. We could all be really trashing Joe Blow, without his knowledge - and it won't get deleted. Should I just e-mail BWOG now and ask that all posts in the past or future with my full name be deleted?

        • Juli

          Really? Commenters 101 and 102, please see comment 97.

          • meh  

            I read comment 97 - which is what prompted me (#102) to write what I wrote. The comment was deleted because the named person asked for you to delete it. If he did not know his name was posted here, he would not have requested the deletion. So, if I start bashing Joe Blow, and he does not know it is on the BWOG, he will not request its deletion, and it will remain for all to see and ridicule him.
            Also, Juli (if that is your real name), in the follow up BWOG post (http://bwog.net/articles/ssn_snafu_protests_go_digital#comments), you wrote in comment #20 that the ball is in "sven's court" - since then, he has apparently requested deletion... maybe you should delete your post there since it has his first name.

          • Juli

            "Sven" is not a full name. Comment 97 specifically stipulates that it must be a full name: "Two comments were deleted because they contained the full name of a certain someone who asked for them to be deleted."

          • anti-Site staff

            Juli, that's a stupid policy. You should delete the previous four comments which obviously spell out someone's full name. And probably the one with only a first name two. Otherwise, what's the point?

          • bahramewe

            Yeah, 'cause having your personal information spread around on the world wide interwebs without your permission sure is a bummer.

          • Agreed...

            All posting his first name does is draw unwarranted hate to others named Sven.

            There are (were) 3 on Facebook. Now there is two...said offender is not a part of them.

            And honestly? How many SVEN's do you know, including ones that go to Columbia? Using his name at all is just plain pointless...seeing as how its a rather distinct name.

          • Haha

            Juli walked right into that one. I wonder if she's gonna bit the bullet and admit she made a mistake.

  62. Delete this comment.  

    His name is Robert Paulson. His name is Robert Paulson. His name is Robert Paulson. His name is Robert Paulson.

  63. j-grace

    i, for one, just can't believe rob trump would do something like this.

  64. So if i say

    that a certain Mr. Hafemeister is the brainless culprit behind this mess, my post cannot be deleted. I leave it up to my brilliant Columbia colleagues to logically deduce the full name, as I have explicitly not posted it here.

  65. sh2125

    CU removed the UNI sh2125. Also there's no more sven's on facebook anymore.

  66. I sure hope

    this http://www.gocolumbialions.com/ViewArticle.dbml?SPSID=43592&SPID=3876&DB_OEM_ID=9600&ATCLID=612091&Q_SEASON=2006 person's employer doesn't find out about his little boo-boo with highly private information.

  67. retribution

    Someone should thank Mr. Hafemeister. Perhaps by purchasing

    [firstname]hafemeister.com

    and explaining the whole incident.

  68. fyi

    anyone ever stopped to think about how their identity could really be taken???

    http://www.washingtonpost.com/wp-dyn/content/article/2008/06/11/AR2008061103759.html

  69. Timing

    It is entirely coincidental that Columbia conveniently disclosed the breach after summer vacation started, when the affected students would not be in campus.

  70. timingPart2

    don't u think they would have cleaned up the google cache and whatever other traces, if they knew about this for longer than they say? apparently there was still stuff out there after they sent the two emails...

  71. Timing

    You're assuming that they are competent. Tisk Tisk!(A mistake many of us had made in the past.) If they were competent, they wouldn't allow a pimple-faced student to download 5,000 SS# off their computers.

  72. Sprinkles

    Why are we protecting the person who did this?

  73. gco

    columbia should put some funds into a identity theft insurance pool to cover the costs that will be incurred by any person whose ID is stolen as a result of this. that makes a lot more sense than giving 5,000 people credit monitoring subscriptions for an arbitrary period of time. if they really did spend north of a million dollars, wouldn't it have been better to just set that aside? ex post, it allocates more money to the actual people who need it-- namely, the people who actually have problems as a result of this. ex ante, it provides insurance to everyone, so we all sleep better, even though the vast majority of us are probably going to be fine. my SSN was posted, by the way

© 2006-2015 Blue and White Publishing Inc.