Educause Security Discussion mailing list archives
Re: Bare Social Social Security Numbers
From: "Christopher E. Cramer" <chris.cramer () DUKE EDU>
Date: Mon, 27 Mar 2006 11:59:05 -0500
Geoff, No names? or no identifying information? or no other information at all? My take is that there are just less than a billion possible SSNs. There are roughly 300 million Americans. If a file (like this email) contained possible SSNs (completely made up example: 437-11-0011), then it's probably not a security breach. The problem comes in when there's other information, even circumstantial information. For example, if you knew this was the SSN for a person at Duke, then it would probably constitute a security breach. If you knew it was a person at Duke with a $50,000/yr salary, it's even more of a breach because there are fewer potential people. To me it's something of an exercise in probability. If I have a random number that looks like an SSN (437-11-0111), but I know nothing about it, then there's roughly a 1 in a billion chance that the number belongs to an individual. If I have an SSN and I know it belongs to someone at Duke, there's a 1 in 36,000 chance of identifying to whom it belongs. If I know it's a student's SSN, it's 1 in 9,000 or so. Worse than that, since the 1st three digits roughly indicate age and place where the person is born, you could probably narrow it down quite a bit. All of which is a long winded way of saying that a file of SSNs associated with a known university should probably be considered a breach. However, any notice should reference the lack of identifiers in the file. -chris On Mon, 27 Mar 2006, Geoffrey S. Nathan wrote:
Quick poll (apologies for cross-posting..) Suppose a file was stolen/accessed containing only social security numbers with no names attached. Would this constitute a security breach necessitating notification of those whose numbers were compromised? (Leaving aside the question of whether the theft/access itself is a breach). Geoff
Current thread:
- Bare Social Social Security Numbers Geoffrey S. Nathan (Mar 27)
- <Possible follow-ups>
- Re: Bare Social Social Security Numbers scott hollatz (Mar 27)
- Re: Bare Social Social Security Numbers H. Morrow Long (Mar 27)
- Re: Bare Social Social Security Numbers Christopher E. Cramer (Mar 27)
- Re: Bare Social Social Security Numbers Thomas R. Davis (Mar 27)
- Re: Bare Social Social Security Numbers Steve Worona (Mar 27)
- Re: Bare Social Social Security Numbers Charles R. Morrow-Jones (Mar 27)
- Re: Bare Social Social Security Numbers Ken Connelly (Mar 27)
- Re: Bare Social Social Security Numbers Joel Rosenblatt (Mar 27)
- Re: Bare Social Social Security Numbers H. Morrow Long (Mar 27)
- Re: Bare Social Social Security Numbers Leo Tran (Mar 27)
- Re: Bare Social Social Security Numbers Gary Golomb (Mar 27)
- Re: Bare Social Social Security Numbers H. Morrow Long (Mar 28)
- Re: Bare Social Social Security Numbers Keith Schoenefeld (Mar 28)
(Thread continues...)