×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

UT Austin Hit By Massive Security Breach

timothy posted more than 11 years ago | from the wonder-if-they-got-mine dept.

Privacy 557

mrpuffypants writes "Reported in the Austin-American Statesman: The University of Texas' security was compromised over the weekend, leaking out nearly 60,000 records on students, staff, and faculty. Official word from the school can be found here. Most troubling of all is that, like most schools, UT still uses SSNs for student ID numbers, and that was part of the information taken from them in the attack."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

557 comments

1 1 11 11 1 (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5450532)

1 1 1 1 1111 1111 111 1 1 1111 1 1 1 1111111 111 1 1 11 11 11 11

FP? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5450538)

Being a subscriber helps!

FP? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5450545)

In the Soviet Union.. they breach YOU!!

frist spot (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5450546)

frost spit

fp (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5450548)

fp

Ouch (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5450557)

Thats gotta suck, btw FIRST POST!!

All they got... (5, Funny)

FirstManOnMoon (613282) | more than 11 years ago | (#5450560)

"Those SSNs that matched selected individuals in a UT database were captured, together with e-mail address, title, department name, department address, department phone number, and names/dates of employee training programs attended. It is important to note that no student grade or academic records, or personal health or insurance information was disclosed."

Phew, I feel so much better now!

Re:All they got... (4, Insightful)

stoolpigeon (454276) | more than 11 years ago | (#5450621)

They'll get the rest later using the SSN. That and a name are often all you need. Who cares about grades- when they know who you are and have your social you are screwed.

What's the big panic about SSNs? (3, Informative)

Gordonjcp (186804) | more than 11 years ago | (#5450671)

Seriously. In the UK the closest equivalent is a National Insurance number, which you give out to quite a few people. Banks often want this (because it's unique to you, which makes record-keeping easier). Your employer will want it, so their accountants can calculate your tax. Your doctor will probably want it, again, because it's a unique identifier.

Why are Americans so paranoid about who knows their SSN?

Re:What's the big panic about SSNs? (3, Funny)

Anonymous Coward | more than 11 years ago | (#5450699)


Why are Americans so paranoid about who knows their SSN?

Because it's a lawless and uncivilized colony filled with criminals who will steal your identity to get a free meal at Ponderosa without a twinge of guilt.

Re:What's the big panic about SSNs? (2, Insightful)

jaymz666 (34050) | more than 11 years ago | (#5450711)

Because EVERYTHING is tied to it. Should someone get a hold of your SSN they can get a credit card in your name, or whatever.

Re:What's the big panic about SSNs? (3, Insightful)

Fulcrum of Evil (560260) | more than 11 years ago | (#5450743)

Why are Americans so paranoid about who knows their SSN?

Because I can use your SSN to apply for a credit card in your name and then, when the bill comes due, it falls on your head (until you explain that that wasn't actually you). Then I can do it again.

I wish I had known... (2, Funny)

Patrick13 (223909) | more than 11 years ago | (#5450564)

I wish I had known about it, I would have asked them to change my transcripts to give me a better GPA. :P

Changing GPA (2, Insightful)

robi2106 (464558) | more than 11 years ago | (#5450618)

Reading the article (as I am sure everyone already has), would tell you that the informatio nwas not tied in to any student grades. Two different systems / databases.

This does mean a spam has a few thousand live accounts of young (read: target audence) college students (read: active email users).

That is bad in more ways that one.

robi

Action (5, Interesting)

StingRayGun (611541) | more than 11 years ago | (#5450565)

What legal action may the students and faculty take? In Washington it is illegal to use a students SSN to identify students. There was groaning at every campus in Washington for weeks. I bet there as glad as me that Washington was so on top of this.

What is SSN? (-1)

Anonymous Coward | more than 11 years ago | (#5450570)

Student Serial Number?

Re:What is SSN? (4, Informative)

eglamkowski (631706) | more than 11 years ago | (#5450604)

Social Security Number. Required in the USA for tax purposes and for receving social security benefits.

Re:What is SSN? (0)

Anonymous Coward | more than 11 years ago | (#5450669)

Ahh..yeah of course. Thats instead of personal ID-numbers based on (birth-date + serial_number_within_that_date) then?

I used to go to UT Austin (3, Informative)

JJAnon (180699) | more than 11 years ago | (#5450573)

and so far, there has been NO communication from UT about the possible theft - the only reason I heard about it is that someone forwarded the article to me this morning. UT seems to be adopting a 'lets-hope-nothing-screwy-happens' attitude to the whole thing, and that is very worrying. There is no way to tell if your ID was one of those stolen - which strikes me as being a little weird. It would make sense to inform the affected individuals as soon as possible, so that they could start being a little more vigilant about their credit histories. But apparently that goes against the wishes of the authorities up high.

Illegal? (1)

govtcheez (524087) | more than 11 years ago | (#5450574)

I thought it was illegal to use Social Security Numbers as student ID #s? At least that's what my school told us a couple years ago when they switched ours from them. My school's in MI - maybe it's a state law?

Re:Illegal? (2, Informative)

JJAnon (180699) | more than 11 years ago | (#5450619)

It is not illegal - at least in Texas. UT has been promising to transition to a UT-EID (electronic ID, an alphanumeric identifier) for a while, and I think the current schedule is for it to happen this Fall, but it still uses SSNs for identification.

Re:Illegal? (2, Interesting)

Anonymous Coward | more than 11 years ago | (#5450752)

It is actually very illegal. This was ruled illegal back in the early 90's. The problem is that the state government of Tx just does notcare about it. And now adays, nothing will happen to them.

Re:Illegal? (1)

jkerman (74317) | more than 11 years ago | (#5450682)

even than its usually only illegal to FORCE a SSN for access to anything. Thsy still ask, and everybody tells, but they have to take SOME other form of unique identifier.

Re:Illegal? (2, Interesting)

Minna Kirai (624281) | more than 11 years ago | (#5450748)

There's been a little blurb on the bottom of the Social Security cards which says "Do not share this number, or disclose it to anyone not representing the Social Security Administration".

(I don't remember the exact text)

How much force that warning has is debatable. Certainly, any individual student can protest "You've got no right to see my SSN!". When this happens, he typically gets bounced around a few offices until someone responds "Ok, just make up a random number and lets get on with it"

That sucks (1)

jsb2 (75391) | more than 11 years ago | (#5450578)

It's great to know that your information is secure. I wonder how long before someone becomes a victim of identity theft....

joy...

Slightly OT - choice of credentials (5, Interesting)

1984 (56406) | more than 11 years ago | (#5450580)

OK, so I can see how a university might come to use SSNs as an identifier. They're unique and everyone already has one. Easy.

But why are SSNs so sensitive? It's like a credit card number -- it's printed some places, gets bandied about in others. Not exactly confidential, and no intuitive or documented boundaries on who should be trusted to with it. So it's a scary number that can be used for bad things, but you'll have to give it out in many circumstances where you aren't fully aware of how it'll be used. Makes it tricky to know who has it, or to make an informed decision about where you use it.

Again, it's easy to see how the practice of using it as a credential has continued (and got worse), but when did it start?

Re:Slightly OT - choice of credentials (0)

unicron (20286) | more than 11 years ago | (#5450672)

With your SSN, an identity thieve has all he'll EVER need. He could assume your identity so well with that # that he could sit down at dinner with your family and probably pull it off.

SSN, Important? YES! (1)

robi2106 (464558) | more than 11 years ago | (#5450692)

IT is more important than a SSN. With an SSN someone could ouse public records to find place of birth, date, etc (heck even the SSN itself is coded for regions of the US).

Using that info someone could generate a false passport. Get the picture. False passport, fals entry into the States. False entry under a name that exists, that is legit. Airlines would see this person as a green threat (under the proposed new system) and ignore them. If the actual person was a Branch Dividian, an IRA terrorist, PLO, etc they have transparency of movement.

Someone just got all the information they need to smuggle thousands of people around our country. Give each illegal 5-10 different identities, never use the same one for connecting flights, then travel tracking becomes really hard for FBI.

robi

Re:Slightly OT - choice of credentials (3, Informative)

sweetooth (21075) | more than 11 years ago | (#5450728)

Google can answer most of your questions with nifty links like this [privacyrights.org], or this [cpsr.org].

Who would have thunk it?

Are the stolen records ever used? (4, Interesting)

Sgs-Cruz (526085) | more than 11 years ago | (#5450581)

I've seen a whole bunch of 'stolen credit card #' type stories on Slashdot lately... the thing is, we never hear about any repercussions of these thefts. Do the thieves ever use the stolen records in large quantities? Follow-up is good :). Any info people have, post it here (I'm thinking of, in response to the Amazon CC# thefts from a few weeks ago, etc.)

Re:Are the stolen records ever used? (1)

mrtroy (640746) | more than 11 years ago | (#5450654)

there are a few sites where you can buy credit card #'s and/or physical credit cards with stolen numbers programmed on them.

sooo where do you think they get their thousands of cc#'s from?

(no, I dont do that; no, I wont tell you the site; and no, you cant pay by credit card! :P)

but seriously, most of these credit card thefts are likely smaller scale and not known by the company who they were stole from...what goods a ton of cc#'s if they know they are stolen and tracking them like a mofo!

Re:Are the stolen records ever used? (3, Informative)

HotNeedleOfInquiry (598897) | more than 11 years ago | (#5450706)

Yeah, they get used, mostly in foreign countries. As a merchant who got stiffed for $1700 on one of those uses, I'm not inclined to discuss how it was done on Slashdot.

No offense.

Re:Are the stolen records ever used? (0)

Anonymous Coward | more than 11 years ago | (#5450758)

Yeah, what about the large number of credit card numbers that were stolen from that credit processing agency? Have any of them been used?

One Copy? (2, Interesting)

robi2106 (464558) | more than 11 years ago | (#5450583)

A smart cracker would already have lined up the buyer(s) for the information (probably spam companies) before doing the crack. At least one copy of the data would have been made at the time of the crack to insure that it doesn't get captured and lost.

But nothing says that these cracker(s) are smart. Possibly just lucky.

robi

Who needs to hack, just work for a university (5, Interesting)

efflux (587195) | more than 11 years ago | (#5450585)

My school still uses SSN's as student id's. I've found that as a student employee I run into thousands of id's a day. I know it's the same way for a lot of student employees on campus. When will schools learn the benefits of a autogenerated key?

Re:Who needs to hack, just work for a university (2, Funny)

mrtroy (640746) | more than 11 years ago | (#5450696)

our university goes by random numbers, unfortunately they use the year you are supposed to graduate! so my student id 2003###### looks out of place in all the first year classes I am in, hopefully the young females dont notice....:P

But I would prefer that to having my identity stolen and have horrible credit, depending on the girls.

As a recent graduate... (1)

lhbtubajon (469284) | more than 11 years ago | (#5450588)

...of UT, I think it's reasonable to assume that I'm among the names taken by the bastards.

Unfortunately, I don't have a clue what to do about potential identity theft. I mean, everything uses your SSN. What steps can one take to protect one's identity?

Re:As a recent graduate... (0, Troll)

JPriest (547211) | more than 11 years ago | (#5450667)

Die, and be hopeful that reincarnation does not bring you into the world an over weight, mentally retarded midget.

Re:As a recent graduate... (3, Informative)

binaryDigit (557647) | more than 11 years ago | (#5450681)

What steps can one take to protect one's identity?

You can't (not to say that you shouldn't make it more difficult, but just don't fool yourself into thinking that it's possible to do absoultely). It's like your house or car, you can take steps to make it more difficult to break in/steal, but there is absolutely nothing you can do to stop someone is wants to target YOU. So the best thing to do is to introduce a bit of paranoia in your life and assume therefore that it COULD happen and adjust accordingly. So for you're indentity, you do regular checks of your credit report, you keeps tabs on your bank accounts, you review your credit card statements, etc. The absolute worse thing that can happen is for someone to grab your identity and use it for a length of time without your knowledge. Getting your cc company to forgive unauthorized purchases is easy, as long as you do it within 30 days of your statement. Having someone apply for a cc with your info can bite you in the butt if you're trying to buy that car or get that mortgage, so you make sure you check well in advance and make sure that window of exposure is a small as possible.

Re:As a recent graduate... (3, Informative)

bpfinn (557273) | more than 11 years ago | (#5450722)

If you are worried about credit card fraud, then you can contact the big credit agencies to check your credit report. They are:
Review who is looking at your credit report, and report suspicious activity to them. Having seen a few personal credit reports of people who were using their personal credit to establish a business line of credit, I've seen statements on them like: "Don't issue any credit to this person before contacting me at 111-222-3333".

Chalk one up to the Niggers and Moose Limbs (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#5450592)

Oy vey! Kush meer in tochas.

Do I play too many games? (1, Funny)

Eu4ria (110578) | more than 11 years ago | (#5450596)

Is it a sign that I play too many games when I read the title as a security breach in Unreal Tournament ???

Eu4ria

Re:Do I play too many games? (1)

Open_The_Box (620252) | more than 11 years ago | (#5450775)

Nah. You don't have to worry 'bout that. Just wait until you start to think of defragging your hard drive as respawning. Then you can start to worry ;)

from what Ive seen (3, Interesting)

odyrithm (461343) | more than 11 years ago | (#5450598)

in schools, its very easy to retrieve information, I went round no less than 10 junior schools in my area to get information on the new students that are about to enter the new year in the secondary school I work as the information manager.. NOT ONE of the schools asked me for ID, they showed me to a machine and logged me in and let me walk out of the door with the information on floppy...

Its a very scary.. but what can you do..

Penalties (5, Interesting)

Skyshadow (508) | more than 11 years ago | (#5450600)

Am I the only one who thinks that there should be penalties for the hack-ee when private information is stolen?

Not to adapt a blame-the-victim mindset, but I mean really, why is this stuff on an internet-connected machine to begin with? I work in health care, and with HIPAA coming into effect, we've been moving a substantial part of our network off the internet -- if there's no physical connection, we can't get hacked.

This stuff needs to be taken seriously, and not just in punishing the offenders. Look at it this way: If your bank got robbed tomorrow and all the items in your safe deposit box were made off with, would you blame the bank if you found out that the vault was left open and the deposit boxes were made of cardboard? I sure would.

Re:Penalties (1)

Trevalyx (627273) | more than 11 years ago | (#5450717)

One thing you really have to be careful of, though, is internal threats. Your system CAN be hacked.. If someone within your area has access to the systems themselves, then it's really only that much safer.
In places like universities, they should really be careful who has access, physical and otherwise.. Universities are where we go to learn, but only so much learning is done in class... They can't (and shouldn't) monitor what we learn outside of class, and people are bound to pick up tips that they are all- to- eager to use, who better than against the universty, to which they most likely hold some spite? Not brilliant, sure, but most script kiddies aren't...

Re:Penalties (1)

mrtroy (640746) | more than 11 years ago | (#5450737)

No doubt.

The only issue arises when you need that information available on the internet, lets say to have online course registrations. Then you dump that info on a different box, firewall it like hell and have a secure connection to the front end box.

They could have paid me a few dollars to save them millions in embarassment and lost info :P

Re:Penalties (3, Informative)

Conare (442798) | more than 11 years ago | (#5450750)

"I work in health care, and with HIPAA coming into effect, we've been moving a substantial part of our network off the internet -- if there's no physical connection, we can't get hacked. " Oh really? Something like 60% of breaches are internal. What are you going to do now? Put everyone on their own separate network? We are going to see a lot of medical data stolen since Bush took the teeth out of the HIPAA requirements.

Re:Penalties (2, Insightful)

GuyMannDude (574364) | more than 11 years ago | (#5450767)

Am I the only one who thinks that there should be penalties for the hack-ee when private information is stolen?

I would imagine that under such a system, no organization would ever admit to being cracked since they would be financially liable. And having some third-party prove that the organization was cracked without access to the computer records would be quite a feat.

GMD

preventable? (1)

gh0ul (71352) | more than 11 years ago | (#5450602)

Correct me if I'm wrong, but doesn't UT have one of the best CS departments? and this couldn't be prevented?

Re:preventable? (0)

Anonymous Coward | more than 11 years ago | (#5450693)

AFAIK.... the CS dept doesn't run the university's network.. there's segregation between the academic side and the business side... at least that's how I remember it when I was there (more years ago than I'll admit)

Re:preventable? (0)

Anonymous Coward | more than 11 years ago | (#5450715)

Oh, that's right -- the faculty and students in the computer science department run the administrative data systems, don't they? Just like the faculty and students in the architecture school are in charge of all new construction on campus, and the folks in the business school take care of the university's finance...

Re:preventable? (0)

Anonymous Coward | more than 11 years ago | (#5450729)

The CS department at a university generally focuses on CS, not system administration...

A breakin is also not proof of a poor job in securing the machines, since universities are usually consistently under attack attempts and they can't just close everything up because students need access. A new hole often will be exploited before the admins have time to patch it.

Where are the (0, Redundant)

eyeye (653962) | more than 11 years ago | (#5450603)

Lame Unreal Tournament jokes? You guys are off form!

Seriously though that is a nasty identity theft situation over there.

Clarification? (4, Insightful)

binaryDigit (557647) | more than 11 years ago | (#5450606)

The UT link appears to be /.ed, but when I read it before it sounded like a simple brute force ssn lookup. The attacker simply generated random ssn and sent them against a page that returned information based on ssn. The attacker then simply harvested "positive" hits. The problem was that this interface was exposed to the public and that it had no means of throttling/preventing multiple requests/failed requests.

On another note, UT is phasing out SSN in many aspects of the students life. My wifes UT ID does not contain her ssn, it has a student # now. Though I assume that there are still many points of interface with the UT system that expects to see ssn.

Oregon State University (0)

Anonymous Coward | more than 11 years ago | (#5450607)

My school uses social security numbers as their student ID number. I didn't like that idea, so I asked to change it which I was allowed to do. But I then later found out that the school still keeps your ssn on records. My ssn is no longer given out on class lists now (which is why I changed it), but the fact that they still have it makes me a little irritated.

new exploit! (1)

mrtroy (640746) | more than 11 years ago | (#5450615)

"The University is currently developing a communication plan and will contact affected individuals as soon as possible. At this juncture, there is no evidence that the data have been further exposed or misused."

I shall now write a script that emails UT random ssn's and asks "was I a affected and what information do you have on me?"

muhahhahaha...

Yikes... (2, Interesting)

TopShelf (92521) | more than 11 years ago | (#5450623)

It's amazing how much information you can get kicked back by simply trolling SSN's. This reminds me of the scandal last year [infoworld.com] with Yale's admissions information, which a Princeton administrator obtained by simply entering SSN's and birthdates on their web site. A brute-force attack like this one, simply adding birthdate to the mix, could have successful results in other places, I'm sure.

It's OK! (1, Insightful)

Anonymous Coward | more than 11 years ago | (#5450637)

Slashdot response: (taken from front page)
"I imagine they will eventually raid some domestic homes and make a scapegoat of some unfortunate teenagers."

Not a difference in my opinion. You might feel different if you were personally affected too. Hackers get what they deserve regardless of age.

SSN, Birthday, first and last names (1)

jasonrocks (634868) | more than 11 years ago | (#5450638)

My former school, UVSC [uvsc.edu] uses social security numbers, firstname and lastname combinations for user IDs. They then use birthdays for passwords. Talk about insecure. I even saw a teacher who typed his password as "password" (He was in CS) Yea, scared me too.

Colleges and Universities need to fix systems! (3, Interesting)

revcorrupt (254160) | more than 11 years ago | (#5450640)

This is NOT the first time, and I do not believe that it will be the last. I work and attend a medium sized college and I happen to know from other employees that our systems have been compromised on several occasions, and in fact they are still being compromised. I do not believe that any critical information has been stolen, but the security of the critical systems at our nations colleges and universities needs to improve. Our college refuses to publicly admit that they have had a serous breach or deny any knowledge of current security problems. It's quit frustrating to be a computer security enthusiast and attend a college that refuses to admit they have a serious problem.

At least the University is acting responsibly... (4, Interesting)

Dman33 (110217) | more than 11 years ago | (#5450645)

"There are six to 12 ways we could have reduced the risk to the database," Updegrove said. "The sad thing is, we didn't do any of them."

It is good to see the University being so frank and honest about this matter. I am sure some heads are gonna roll, but at least the people affected will be provided with information and know how it happened.

Speaking of how it happened... the article does not go into technical details, but I am curious how this database was accessible to the world and was spitting out data to qualifying queries of SSNs without any security context... I am sure someone here on /. has an opinion as to how this happened?

The bigger breach . . . (2, Funny)

GMontag (42283) | more than 11 years ago | (#5450648)

This johnny-come-lately "UT" is ripping off the initials and the colors of the original UT [utk.edu] (est. 1794 thank you very much)!!

We demand that our child State of Texas cease and decist in the molestation of our look and feel.

Sincerely,
Volunteer Graduate of 1994

PS, The UTK English Department is the Home of the Vowels [harbrace.com] ;-)

different shades of orange (1)

timothy (36799) | more than 11 years ago | (#5450764)

I'm not sure which is worse: do you want your orange brighter and more eye-pokin', or browner and more rustlike?

UTK has a nicer campus, IMO, for matters of simple geography -- Knoxville has *hills*! Architecturally, though, UTA wins by a nose. (Whether or not you're a fan of the UTA campus "Master Plan," it's really not much of a going concern any more -- sprawl has taken care of that.)

Culturally, more similar than people like to admit, but Austin is simply a bigger, hipper city. In fact, Knoxville and Austin have a lot in common -- somewhat liberal by comparison to the rest of the state, high student population, comparitively green ...

timothy

Probably just a student... (1, Informative)

$$$$$exyGal (638164) | more than 11 years ago | (#5450652)

I'll bet this attack was done by a student to get more information about which college freshman girls to harrass. When I went to college, the online phonebook did not include gender, or year by default, but you could get that information if you clicked a few checkboxes (but only one student info at a time). A friend of a friend of mine (at the time) wrote a simple script to harvest all of the data. He was never contacted for doing anything wrong.

Hey, here's an idea (3, Interesting)

buffer-overflowed (588867) | more than 11 years ago | (#5450657)

SSN's are valuable because you can use them for identity theft. You can use them for identity theft because they're a national ID card. Something "they" (the mythical them) say they are not.

Apart from that all of the credit reporting, etc. goes through shadow companies that you can do nothing to if they screw you over (IE issue a credit card to a you that's not you).

We need to make using an SSN for identification purposes entirely illegal, credit card companies and banks be damned. Or say it is a National ID and come up with a better way of securing identities.

at least some are getting smarter (5, Interesting)

squarefish (561836) | more than 11 years ago | (#5450662)

Northwestern recently sent this out to all students:

Dear Students:

The following three bulleted topics are of student interest:

* Social Security Number is removed from WildCARD ID
With complaints about identity theft nearly doubled last year as the fast-growing crime topped the government's list of consumer frauds for the third consecutive year, WildCARD offices on the Evanston and Chicago campuses have started issuing new WildCARD identifications without social security numbers.

The re-designed WildCARDS are being issued at no charge to faculty, staff and students who wish to exchange their existing card for one minus a social security number printed on the front. Those without a card to exchange because it was lost or stolen will be
charged a $15 replacement fee.

"The new purple WildCARD looks the same as the old one, but as opposed to printing the person's social security number that used to be their Northwestern "id" number, we have implemented a shortened "emplid" number which the University is issuing that has no association whatsoever with one's social security number," said Arthur Monge, manager of WildCARD and Vending.

"We are not mandating that WildCARD holders be issued a new card, but the option is available for anyone who feels concerned about having the social security number visible on their existing card. It is a matter of personal choice to replace their existing card for one with an "emplid" number, at no charge, unless they have lost their card or it has been stolen." Since switching to a new WildCARD is optional, it can be done at one's leisure. Existing WildCARDS will continue to work, so if someone doesn't feel the need to have one without a social security number immediately, they can continue using their existing card until it expires.

Northwestern University's multi-purpose, one-card program, WildCARD, was developed nine years ago to provide better identification for members of the University community and to simplify use of existing services, control access, reduce handling of cash, and enhance security. Students, faculty, staff, spouses and domestic partners of active, full-time faculty or staff, authorized contractors working within the University community, Research Park tenants, and individuals affiliated with a University department are all eligible for a WildCARD. For more information, call Art Monge (847) 467-3135 or check the WildCARD Web site at:
http://www.univsvcs.northwestern.edu/WildCard /inde x.html

* New vending machine refund bank locations
If you didn't already know it, there are vending machine refund banks located throughout both campuses. A complete list can be found on the WildCARD & Vending web site at:
http://www.univsvcs.northwestern.edu/WildCard /vend ing.html#refundloc

New locations include the Family Institute at 618 Library Pl (front desk), Lake Shore Center at 850 N. Lake Shore Drive (front desk) and at Wieboldt Hall, 339 E. Chicago (Administrative office, 2nd fl). One is also planned for Galter Library in the near future.

Each vending machine should have a sticker on it that indicates the nearest refund bank. If one is missing, please inform the Evanston Wildcard Office at 7-6843.

* Other tidbits of information:
--The Abbott Hall ATM now sells stamps
--A Pepsi vending machine promotion is taking place now. Pepsi is giving away 80 Willie the Wildcat bobble head dolls. Look for a sticker on your next Pepsi purchase.

SSN as ID number (3, Insightful)

TPIRman (142895) | more than 11 years ago | (#5450663)

While my university doesn't use the SSN for our student ID number, it still asks students to put it on countless forms and enter it into countless databases. It's always made me uneasy, and I hadn't even thought of the potential for a computer break-in. Rather, I was unsettled that any student worker who checked out a book for me at the library could see my SSN on his screen after scanning my ID card.

But nothing wakes up a university -- especially a state school -- like the threat of litigation. If the cracker followed up and committed full-scale identity theft, the students would have grounds for a lawsuit against the school. Consider the recent New Hampshire lawsuit [slashdot.org] that dealt with SSNs and other personal information. With the potential for bloodthirsty lawyers, universities might finally get serious about protecting their students' information.

Bush's daughter (3, Interesting)

wayward_son (146338) | more than 11 years ago | (#5450668)

Doesn't one of Bush's daughters go to UT?

Could this possibly be related?

Re:Bush's daughter (-1)

Anonymous Coward | more than 11 years ago | (#5450707)

yes, when she's not drinking

Re:Bush's daughter (1, Funny)

binaryDigit (557647) | more than 11 years ago | (#5450718)

It probably WAS his daughter. She was probably hunting for info on those over 21 so she could create more fake id's ;)

What do you bet... (0)

Anonymous Coward | more than 11 years ago | (#5450675)

that MS is telling them that if they had simply upgraded from Win2K to XP, this never would have happened. BTW, the main site runs Solaris, but the in-house is done on MS per our Ex-gov.

It's not the IT department.. it's the provost (5, Informative)

agrounds (227704) | more than 11 years ago | (#5450678)

I used to admin at a University. One of the most frustrating things I encountered was the incessant desire for there to be no restrictions on any of the computing systems that the students used. This includes the servers. The firewall was just an expensive router. We were not allowed to run blocks from the internet to inside IPs, as that defeated the spirit of free access. I tried to explain why it was a 'Bad Thing(tm)' repeatedly, but alway met with resistance from the shared governance committee. One cannot blame the administrators in this thing. I assure you they feel just as powerless as I did. This kind of thing will become more and more rampant as clueless faculty (or upper-management in the business world) are allowed to influence major IT decision-making.

Anyone with information... (0, Troll)

jcasey (264935) | more than 11 years ago | (#5450683)

Anyone with information about this crime is encouraged to contact UT's IT director via email. VISA-1234-5678-9012-3456-EXP1207@ut.edu

SS as ID is INSANE!!! (1)

Eric_Cartman_South_P (594330) | more than 11 years ago | (#5450686)

Back when TV's were 4 inches accross and black and white, a nine digit number was "good enough" security in a slow and analog world. In modern times the entire idea of using JUST A BUNCH OF NUMBERS as ID is INSANE. And isn't it illegal to use S.S. numbers as a form of ID in the states?

SSN's? Big deal. (2, Interesting)

Slime-dogg (120473) | more than 11 years ago | (#5450689)

Big deal. If anyone wants to know my ssn, it's "336721433".

SSN's are public information.

Re:SSN's? Big deal. (1)

PDXNerd (654900) | more than 11 years ago | (#5450765)

Bad thoughts!! Bad thoughts!! Think pure thoughts!!!!

When you apply for a credit card you do not need a SSN until it comes time for verification. You just did yourself a disservice... I hope someone that can do this will see your post and will remove your number for you.

and this system was on the internet because ? (1, Insightful)

Anonymous Coward | more than 11 years ago | (#5450694)

they thought it would be cool, or because they wanted me to r00t it ?

thanks,
fluffy bunny

Already fixed (4, Funny)

Anonymous Coward | more than 11 years ago | (#5450704)

They immediately disconnected the compromised database from the Internet, later hooking up a database of useless information.

They probably just copied over the DB containing the University's security procedures.

`Recapturing'? (4, Insightful)

TKinias (455818) | more than 11 years ago | (#5450710)

UT says:

UT, in conjunction with the U.S. Attorney's Office, the U.S. Secret Service, and other law enforcement agencies, has focused its efforts since Sunday evening on identifying the perpetrator(s) of the break-in and recapturing the stolen data.

Someone is more than a little bit confused about the nature of digital storage if they think they can `recapture the stolen data'.

`Ah, cool, we've managed to delete the copy they made of our data.'
(whispers)
`Another copy? How many copies did they steal?'

New Spam Email... (0, Redundant)

dynamiteweb (617460) | more than 11 years ago | (#5450724)

I can see it now....

NEW! Overnight REAL UT Diploma's in your choice of:

  • Internet Security
  • Blame the Hacker
  • Choosing Primary Keys

Isn't there a law?? (2, Informative)

PDXNerd (654900) | more than 11 years ago | (#5450725)

A few years ago I got a new bank account and they told me that due to a federal social security law they could not use my SSN as an identification source and that anyone who used it as such was breaking the law.

I know that many institutions and businesses use it (SSN) that way, but isn't it against the law? Or did I misinterpret the statement from the bank?

What the? (2, Insightful)

Baracus (628287) | more than 11 years ago | (#5450742)

Hold on, why were UT's internal data reporting systems hooked up to the internet? I thought sensitive information like this was only exchanged over secure intranet and stored in systems with no access to public networks?

SSN's are used too much (2, Interesting)

StarTux (230379) | more than 11 years ago | (#5450744)

They just should not be used by any third party, one thing I was amazed on after moving from the UK to the US was just how many companies/people here ask for that information when really its not necessary.

StarTux

Dan Updegrove (0)

Anonymous Coward | more than 11 years ago | (#5450749)

I knew him ~10 years ago when I worked at UPenn. What a dick.

I hope he becomes the sacrifical lamb for UT over this.

UB (2)

hckrdave (588951) | more than 11 years ago | (#5450753)

@ UB we have a "people number" it might sound stupid... but atleast if there hacked they dont get my ssn

Abridged Version of linked page (1)

cyranoVR (518628) | more than 11 years ago | (#5450754)

Dear UT Austin Students/Faculty/Staff,

We were dumb@sses and now you're royally fscked.

Now let's try and hide those two facts by swamping you with irrelevant details

Sincerely,

UT Austin MIS Staff

Student Numbers = SSN (2, Insightful)

vasqzr (619165) | more than 11 years ago | (#5450777)


You've got WAY more to worry about than hackers.

ANYONE who works in the offices (especially student workers) can get this information. Admissions? Financial aid? All of these people could find enough info out about you to get a credit card in your name or go down to Circuit City and buy a big screen.

Just like the people who worry about their credit card being stolen from shopping online - You've got a better chance of the guy working at the mall going through reciepts, or the waitress at Hooters when she takes your card up to pay the bill.

At least they admitted it (1)

jaymzter (452402) | more than 11 years ago | (#5450786)

Obviously there's no way that database should have been connected to the internet. Someone failed to put the crack pipe down on that one. But at least they bothered to take full responsibility for the breach, and admit that they did in fact f*ck up. Should I be impressed, or should I wonder why someone admitting in a pupblic manner that they dropped the ball is refreshing?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...