Difference between revisions of "Housing SSN security breach"
| Line 3: | Line 3: | ||
According to Scott Wright, Columbia's Vice President for Student Auxiliary & Business Services, a "former student employee" inadvertently posted a file on the internet in February 2007 that contained the names and SSNs of over 5,000 students. The file in question seems to have been an Excel spreadsheet called "Beds_Roster_0607.xls", which seems to have been posted at "http://cu-super-hw2.googlecode.com/files/output.xls". The spreadsheet has since been taken down, along with the rest of the "cu-super-hw2" website. However, various parts of the website remain online in the caches of search engines, including MSN.<ref>http://cc.msnscache.com/cache.aspx?q=73381023649685&mkt=en-US&setlang=en-US&w=8006b6d6,9ed441b4&FORM=CVRE9</ref><ref>http://cc.msnscache.com/cache.aspx?q=73424566345560&mkt=en-US&setlang=en-US&w=ea9b6e99,e55de10f&FORM=CVRE</ref> | According to Scott Wright, Columbia's Vice President for Student Auxiliary & Business Services, a "former student employee" inadvertently posted a file on the internet in February 2007 that contained the names and SSNs of over 5,000 students. The file in question seems to have been an Excel spreadsheet called "Beds_Roster_0607.xls", which seems to have been posted at "http://cu-super-hw2.googlecode.com/files/output.xls". The spreadsheet has since been taken down, along with the rest of the "cu-super-hw2" website. However, various parts of the website remain online in the caches of search engines, including MSN.<ref>http://cc.msnscache.com/cache.aspx?q=73381023649685&mkt=en-US&setlang=en-US&w=8006b6d6,9ed441b4&FORM=CVRE9</ref><ref>http://cc.msnscache.com/cache.aspx?q=73424566345560&mkt=en-US&setlang=en-US&w=ea9b6e99,e55de10f&FORM=CVRE</ref> | ||
| − | These cached pages indicate that the website counted at least 4 people among its contributors, one of whom was Sven Hafemeister. Hafemeister | + | These cached pages indicate that the website counted at least 4 people among its contributors, one of whom was Sven Hafemeister. According to one of the cached pages, Hafemeister uploaded a file called "output.xls", which has led many people to accuse him of being the "former student employee" at guilt. It seems that Hafemeister used the spreadsheet with student data to complete a homework for CS4733 Computational Aspects of Robotics. Hafemeister has since graduated, but while at Columbia he was a SEAS comp sci major and student athlete<ref>http://www.gocolumbialions.com/ViewArticle.dbml?SPSID=43592&SPID=3876&DB_OEM_ID=9600&ATCLID=612091&Q_SEASON=2006</ref>. He recently took down his [[Facebook]] page. |
| − | Student Services discovered this breach of confidentiality on 3 June 2008. On 10 | + | Student Services discovered this breach of confidentiality on 3 June 2008. They notified Google, who removed the offending file from the Google Code website. On 10 June 2008, they emailed all 5,000 students who were affected from an alias called "studentservices-assist@columbia.edu". Some students were offered two years of "Identity Guard CreditProtectX3SM" credit monitoring, while others were not - it is unclear why all students were not offered the credit monitoring. According to comments on Bwog, students who received these emails and subsequently searched for their names and SSNs on Google were still able to find the spreadsheet along with the names and SSNs of all the other students involved. It seems this was because Columbia did not also ask Google to remove the file from its cache. |
| + | |||
| + | A similar (though less widespread) SSN scandal happened just over a year ago in April 2007. | ||
== Email offering credit monitoring == | == Email offering credit monitoring == | ||
| Line 78: | Line 80: | ||
<blockquote> | <blockquote> | ||
From: studentservices-assist@columbia.edu<br/> | From: studentservices-assist@columbia.edu<br/> | ||
| − | Date: | + | Date: 10 June 2008<br/> |
Subject: Important Security Information<br/> | Subject: Important Security Information<br/> | ||
<br/> | <br/> | ||
Revision as of 04:21, 13 June 2008
The housing SSN scandal emerged in June 2008.
According to Scott Wright, Columbia's Vice President for Student Auxiliary & Business Services, a "former student employee" inadvertently posted a file on the internet in February 2007 that contained the names and SSNs of over 5,000 students. The file in question seems to have been an Excel spreadsheet called "Beds_Roster_0607.xls", which seems to have been posted at "http://cu-super-hw2.googlecode.com/files/output.xls". The spreadsheet has since been taken down, along with the rest of the "cu-super-hw2" website. However, various parts of the website remain online in the caches of search engines, including MSN.[1][2]
These cached pages indicate that the website counted at least 4 people among its contributors, one of whom was Sven Hafemeister. According to one of the cached pages, Hafemeister uploaded a file called "output.xls", which has led many people to accuse him of being the "former student employee" at guilt. It seems that Hafemeister used the spreadsheet with student data to complete a homework for CS4733 Computational Aspects of Robotics. Hafemeister has since graduated, but while at Columbia he was a SEAS comp sci major and student athlete[3]. He recently took down his Facebook page.
Student Services discovered this breach of confidentiality on 3 June 2008. They notified Google, who removed the offending file from the Google Code website. On 10 June 2008, they emailed all 5,000 students who were affected from an alias called "studentservices-assist@columbia.edu". Some students were offered two years of "Identity Guard CreditProtectX3SM" credit monitoring, while others were not - it is unclear why all students were not offered the credit monitoring. According to comments on Bwog, students who received these emails and subsequently searched for their names and SSNs on Google were still able to find the spreadsheet along with the names and SSNs of all the other students involved. It seems this was because Columbia did not also ask Google to remove the file from its cache.
A similar (though less widespread) SSN scandal happened just over a year ago in April 2007.
Email offering credit monitoring
From: studentservices-assist@columbia.edu
Date: 10 June 2008
Subject: Important Security Information
On June 3, Columbia University's Housing and Dining department was informed that one archival database file containing the housing information of approximately 5,000 current and former undergraduate students was found on a Google-hosted website. Google removed this file, at our request, that same day.
Columbia Public Safety investigators have concluded that this security breach was unintentional. No financial data was included in the file in question, and we have no evidence of wrongdoing or identity theft. It appears that the file was inadvertently posted by a former student employee in February 2007. Nevertheless, it is important for you to be aware that your name and Social Security Number were included in the file. We are very sorry for this occurrence.
Information security is a serious issue for us, as we know it is for you. Columbia University is continually strengthening its measures to protect Social Security Numbers where they are required in our systems. Housing & Dining manually eliminated Social Security Numbers from its online room selection process and contracts in April 2007. Further, in spring 2008, Columbia Housing and Dining implemented a new software system to manage and improve the housing assignment, contract, and billing processes which also does not use Social Security Numbers. Unfortunately, this file was uploaded prior to when these changes were made.
As an additional precaution, Columbia has arranged for you to receive a free two-year subscription to a credit monitoring service, Identity Guard CreditProtectX3SM. This service will provide you with a copy of your credit report, monitor your credit files at all three major credit bureaus (Equifax, Experian and Trans Union) and notify you of certain suspicious activities that could indicate identity theft. You will receive additional information about enrolling in this service in the next week.
If you do not wish to enroll in this service, you may still choose to activate a fraud alert with the major credit bureaus, or periodically request a credit report to look for potential irregularities and ensure that no new accounts have been activated in your name. Each agency has an automated fraud alert process. If you activate a fraud alert, the agency you contact will notify the other two agencies so that those agencies also can place fraud alerts on your accounts. In addition, each agency will provide you a copy of your credit report at no cost. The contact information for the credit agencies is as follows:
Equifax - (800) 525-6285 - www.equifax.com
Experian - (888) 397-3742 - www.experian.com
Trans Union - (800) 680-7289 - www.transunion.com
We sincerely apologize for the inconvenience this has caused you. Please know that we take the protection of your identity seriously. We are confident that the changes we have made since this file was posted have made all students and alumni safer.
If you should have any questions or comments, please contact us by calling 1(888) 882-7331 or by emailing studentservices-assist@columbia.edu (mailto:studentservices-assist@columbia.edu).
Sincerely,
Scott Wright
Vice President
Student Auxiliary & Business Services
Alternative email
From: studentservices-assist@columbia.edu
Date: 10 June 2008
Subject: Important Security Information
On June 3, Columbia University’s Housing and Dining department was informed that one archival database file containing the housing information of approximately 5,000 current and former undergraduate students was found on a Google-hosted website. Google removed this file, at our request, that same day.
Columbia Public Safety investigators have concluded that this security breach was unintentional. No financial data was included in the file in question, and we have no evidence of wrongdoing or identity theft. It appears that the file was inadvertently posted by a former student employee in February 2007. Nevertheless, it is important for you to be aware that your name and Social Security Number were included in the file. We are very sorry for this occurrence.
Information security is a serious issue for us, as we know it is for you. Columbia University is continually strengthening its measures to protect Social Security Numbers where they are required in our systems. Housing & Dining manually eliminated Social Security Numbers from its online room selection process and contracts in April 2007. Further, in spring 2008, Columbia Housing and Dining implemented a new software system to manage and improve the housing assignment, contract, and billing processes which also does not use Social Security Numbers. Unfortunately, this file was uploaded prior to when these changes were made.
As a precaution, we recommend you activate a fraud alert with the major credit bureaus, or periodically request a credit report to look for potential irregularities and ensure that no new accounts have been activated in your name. Each agency has an automated fraud alert process. If you activate a fraud alert, the agency you contact will notify the other two agencies so that those agencies also can place fraud alerts on your accounts. In addition, each agency will provide you a copy of your credit report at no cost. The contact information for the credit agencies is as follows:
Equifax – (800) 525-6285 – www.equifax.com
Experian – (888) 397-3742 – www.experian.com
Trans Union – (800) 680-7289 – www.transunion.com
We sincerely apologize for the inconvenience this has caused you. Please know that we take the protection of your identity seriously. We are confident that the changes we have made since this file was posted have made all students and alumni safer.
If you should have any questions or comments, please contact us by calling 1(888) 882-7331 or by emailing studentservices-assist@columbia.edu .
Sincerely,
Scott Wright
Vice President
Student Auxiliary & Business Services
References
- ↑ http://cc.msnscache.com/cache.aspx?q=73381023649685&mkt=en-US&setlang=en-US&w=8006b6d6,9ed441b4&FORM=CVRE9
- ↑ http://cc.msnscache.com/cache.aspx?q=73424566345560&mkt=en-US&setlang=en-US&w=ea9b6e99,e55de10f&FORM=CVRE
- ↑ http://www.gocolumbialions.com/ViewArticle.dbml?SPSID=43592&SPID=3876&DB_OEM_ID=9600&ATCLID=612091&Q_SEASON=2006
