Housing SSN security breach

From WikiCU
Jump to: navigation, search

The Housing SSN security breach was an accidental public posting of 5,000 Social Security Numbers by a Housing employee. It was discovered in June 2008. It is one of many Columbia SSN security breaches.

Summary

According to Scott Wright, Columbia's Vice President for Student Auxiliary & Business Services, a "former student employee" inadvertently posted a file on the internet in February 2007 that contained the names and SSNs of over 5,000 students. The file in question seems to have been an Excel spreadsheet called "output.xls", which seems to have been posted at "http://cu-super-hw2.googlecode.com/files/output.xls" as part of a computer science class project. The spreadsheet has since been taken down, along with the rest of the "cu-super-hw2" website. However, various parts of the website remain online in the caches of search engines, including MSN.[1]

A google search showing partial contents of the file.

Response

Administration

Student Services discovered the breach of confidentiality 16 months later, on June 3, 2008. They notified Google, who removed the offending file from the Google Code website. On June 10, 2008, they emailed all 5,000 students who were affected from an alias called "studentservices-assist@columbia.edu". Some students were offered two years of "Identity Guard CreditProtectX3SM" credit monitoring, while others were not—it is unclear why not all students were offered the credit monitoring service.

Students

Extensive coverage on the Bwog gave affected students an outlet for their frustration. One student created a petition[2] demanding changes in the university's approach to confidential information and retributive action against the student. However, the actual breach of security took place before the June 2007 institution of a new security policy following a similar leak in April 2007. Many students expressed anger in Bwog comments, directed at Housing for allowing the situation to happen and not offering all students the credit monitoring service, the university as a whole, and particularly the former student in question.

It was possible from the cached version of the Googlecode website, which some students who received the email and subsequently searched for their names and SSNs on Google were able to find, to ascertain the name of the individual who apparently had posted the file. In particular, the cached pages indicate that the website counted at least 4 people among its contributors for a class project. According to one of the cached pages, a 2007 SEAS graduate uploaded a file called "output.xls", which has led many people to accuse him of being the "former student employee" at fault. In anonymous Bwog comments, many people excoriated the individual and called for retribution, though his own name was included on the list and it appeared to be an innocent, if stupid mistake.

Two Versions of the Email

Email that offers credit monitoring

From: studentservices-assist@columbia.edu
Date: 10 June 2008
Subject: Important Security Information

On June 3, Columbia University's Housing and Dining department was informed that one archival database file containing the housing information of approximately 5,000 current and former undergraduate students was found on a Google-hosted website. Google removed this file, at our request, that same day.

Columbia Public Safety investigators have concluded that this security breach was unintentional. No financial data was included in the file in question, and we have no evidence of wrongdoing or identity theft. It appears that the file was inadvertently posted by a former student employee in February 2007. Nevertheless, it is important for you to be aware that your name and Social Security Number were included in the file. We are very sorry for this occurrence.

Information security is a serious issue for us, as we know it is for you. Columbia University is continually strengthening its measures to protect Social Security Numbers where they are required in our systems. Housing & Dining manually eliminated Social Security Numbers from its online room selection process and contracts in April 2007. Further, in spring 2008, Columbia Housing and Dining implemented a new software system to manage and improve the housing assignment, contract, and billing processes which also does not use Social Security Numbers. Unfortunately, this file was uploaded prior to when these changes were made.

As an additional precaution, Columbia has arranged for you to receive a free two-year subscription to a credit monitoring service, Identity Guard CreditProtectX3SM. This service will provide you with a copy of your credit report, monitor your credit files at all three major credit bureaus (Equifax, Experian and Trans Union) and notify you of certain suspicious activities that could indicate identity theft. You will receive additional information about enrolling in this service in the next week.

If you do not wish to enroll in this service, you may still choose to activate a fraud alert with the major credit bureaus, or periodically request a credit report to look for potential irregularities and ensure that no new accounts have been activated in your name. Each agency has an automated fraud alert process. If you activate a fraud alert, the agency you contact will notify the other two agencies so that those agencies also can place fraud alerts on your accounts. In addition, each agency will provide you a copy of your credit report at no cost. The contact information for the credit agencies is as follows:

Equifax - (800) 525-6285 - www.equifax.com
Experian - (888) 397-3742 - www.experian.com
Trans Union - (800) 680-7289 - www.transunion.com

We sincerely apologize for the inconvenience this has caused you. Please know that we take the protection of your identity seriously. We are confident that the changes we have made since this file was posted have made all students and alumni safer.

If you should have any questions or comments, please contact us by calling 1(888) 882-7331 or by emailing studentservices-assist@columbia.edu (mailto:studentservices-assist@columbia.edu).

Sincerely,

Scott Wright
Vice President
Student Auxiliary & Business Services

Alternative email that doesn't offer credit monitoring

From: studentservices-assist@columbia.edu
Date: 10 June 2008
Subject: Important Security Information

On June 3, Columbia University’s Housing and Dining department was informed that one archival database file containing the housing information of approximately 5,000 current and former undergraduate students was found on a Google-hosted website. Google removed this file, at our request, that same day.

Columbia Public Safety investigators have concluded that this security breach was unintentional. No financial data was included in the file in question, and we have no evidence of wrongdoing or identity theft. It appears that the file was inadvertently posted by a former student employee in February 2007. Nevertheless, it is important for you to be aware that your name and Social Security Number were included in the file. We are very sorry for this occurrence.

Information security is a serious issue for us, as we know it is for you. Columbia University is continually strengthening its measures to protect Social Security Numbers where they are required in our systems. Housing & Dining manually eliminated Social Security Numbers from its online room selection process and contracts in April 2007. Further, in spring 2008, Columbia Housing and Dining implemented a new software system to manage and improve the housing assignment, contract, and billing processes which also does not use Social Security Numbers. Unfortunately, this file was uploaded prior to when these changes were made.

As a precaution, we recommend you activate a fraud alert with the major credit bureaus, or periodically request a credit report to look for potential irregularities and ensure that no new accounts have been activated in your name. Each agency has an automated fraud alert process. If you activate a fraud alert, the agency you contact will notify the other two agencies so that those agencies also can place fraud alerts on your accounts. In addition, each agency will provide you a copy of your credit report at no cost. The contact information for the credit agencies is as follows:

Equifax – (800) 525-6285 – www.equifax.com
Experian – (888) 397-3742 – www.experian.com
Trans Union – (800) 680-7289 – www.transunion.com

We sincerely apologize for the inconvenience this has caused you. Please know that we take the protection of your identity seriously. We are confident that the changes we have made since this file was posted have made all students and alumni safer.

If you should have any questions or comments, please contact us by calling 1(888) 882-7331 or by emailing studentservices-assist@columbia.edu .

Sincerely,

Scott Wright
Vice President
Student Auxiliary & Business Services

References

External links