NYU student data leak

[Dave Farber <dave () farber net>]

> Delivered-To: dfarber+ () ux13 sp cs cmu edu
> Date: Sat, 10 Jan 2004 12:05:47 -0500
> From:
> To: Dave Farber <dave () farber net>
>
>
>
> Dave:  Not mentioned in this article is that at the start of 2003,
> NYU laid off its senior system and network security manager, who
> had been with the university for nearly 18 years, in a budget-cutting
> round.  At the time of the layoff, the manager was working on privacy
> issues, including HIPAA compliance.
>
>
>
> http://www.nytimes.com/2004/01/10/nyregion/10identity.html
>
> January 10, 2004
> Students' Data on Web, and N.Y.U. on Defensive
> By KAREN W. ARENSON
>
> Three years ago, when Brian Frank entered New York University, he
> signed up for intramural basketball, providing his name and his
> university identification number, which was also his Social Security
> number.
>
> Yesterday morning, Mr. Frank, who is now a senior, learned from N.Y.U.
> that these details had been posted on the Internet. He was among about
> 1,800 N.Y.U. students who received the same e-mail notification from
> the university. In some cases, students' phone numbers were posted,
> too.
>
> "I'm furious," he said in a telephone interview from his home in
> Parsippany, N.J., where he is spending his winter break. "It is an
> egregious violation of student privacy."
>
> Mr. Frank said that in an age of growing identity theft, he was
> concerned that unscrupulous people might have found his personal
> information and tried to use it.
>
> N.Y.U. officials said the information was posted on an Internet page
> run by Brian Ristuccia, a computer technician in Massachusetts who
> found it on N.Y.U.'s Web site in a list of students interested in
> intramural sports. The university said it was considering taking legal
> action.
>
> "We regret the concern that this may cause our students and former
> students who were on the list, and we apologize to them," John
> Beckman, an N.Y.U. spokesman, said yesterday.
>
> He said that the university's own Web site is better protected now,
> and that the information has been removed from Mr. Ristuccia's Web
> site.
>
> For his part, Mr. Ristuccia said he had removed the information on
> Thursday "mostly because N.Y.U. had notified the affected students,
> and that was the goal of my endeavor."
>
> Computer privacy experts said that Mr. Frank had good reason to be
> concerned.
>
> "The students are at risk for identity theft," said Beth Givens,
> director of the Privacy Rights Clearinghouse, a nonprofit consumer
> advocacy organization based in San Diego. "Who knows how many
> individuals got access to their names and Social Security numbers?
> Just by putting this information on a so-called protected page, N.Y.U.
> was exposing these students to risk."
>
> She added, "This is not the first time I've heard about personal
> information being posted on an internal Web site that is then tapped
> into by someone who has no legitimate right of access."
>
> Mari McQueen, associate editor of Consumer Reports, who led an
> eight-month investigation into identity theft that was published in
> the magazine's October 2003 issue, said that many universities used
> Social Security numbers for student identification, and that the
> practice opened the students to potential financial problems and
> fraud.
>
> "It is a very common practice, and one that needs to be curtailed,
> given the abuses," she said.
>
> She said that it was a particular problem for college students,
> because they have no control over the use of the information.
>
> "If you want to attend the university," she said, "you don't have any
> choice."
>
> Mr. Ristuccia, a 25-year-old computer system administrator for a
> private company that he declined to identify, said in an interview
> that he learned in late November about the information being available
> on N.Y.U.'s Web site. He said a friend told him about it after finding
> his sister on the list.
>
> He said that he sent an e-mail message to N.Y.U.'s system
> administrators in early December to tell them about the problem, but
> that it was anonymous because "it is very common for an organization
> faced with a security problem to blame the person that discovers the
> problem."
>
> He said that he also made a copy of the information - he called it a
> mirror - "so that it would be difficult for N.Y.U. to claim that the
> information never existed."
>
> Mr. Beckman said the material had been accessible to people outside
> N.Y.U. because an athletic official failed to activate the appropriate
> security mechanisms. But he said the university had received no
> previous notification of the problem. He also questioned why Mr.
> Ristuccia had put the information on his own Web site. "That sounds
> like a self-serving excuse to me," he said. "If you were really
> concerned about the privacy of the students, you would not post their
> information on your Web site."
>
> He said that Mr. Ristuccia had also not responded when the university
> first tried to reach him, but waited until the university followed up
> with letters from its legal office.
>
> Mr. Ristuccia, who has posted a commentary of the episode at
> http://osiris.978.org/brianr/nyu-publication/, said yesterday that he
> did not think he had broken any laws.
>
> "There is a class of people who make a hobby of breaking into other
> people's computer systems, but I don't advocate that type of thing,"
> he said. "And that is not what I did. The information was available
> with a search engine."
>
> He said that N.Y.U. had erred by putting such information where it was
> accessible.
>
> Some computer advocacy experts said that problems like this are a
> clear illustration of why universities should not use Social Security
> numbers for student identification.
>
> "A lot of universities have moved away from it," said Marc Rotenberg,
> executive director of the Electronic Privacy Information Center in
> Washington. "It was probably a mistake to use Social Security numbers
> to identify students and to make the numbers accessible online. It is
> not quite like publishing the number. But if someone was able to
> access it without too much work, it is like publishing it online. But
> this other person doesn't have clean hands, either."
>
> Mr. Beckman said that N.Y.U. has been studying the feasibility of
> using a different student identification system for more than a year,
> and would probably make that change in the next couple of years. He
> said the wide use of the numbers made changing the system a complex
> undertaking.
>
> Mr. Beckham said he did not know if this episode would prompt N.Y.U.
> to speed up the conversion.
>
>
> ----------------- End Forwarded Message -----------------

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/