Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

What Can I Do About Poorly Handled Data Theft?

Cliff posted more than 7 years ago | from the caught-between-a-rock-and-an-institution dept.

53

Embarrassed UTA Alumnus writes "My former college, the University of Texas at Arlington, just made the now-all-to-common announcement that student data — including Social Security numbers, e-mail addresses, grades, and other information — were on several recently stolen personal computers. The computers were from the home of a Computer Science lecturer, and perhaps more worrisome was the fact that they were the only stolen items in the incident. I had the displeasure of taking one of the lecturer's courses a few years ago, and anyone from his courses since the year 2000 is affected. In response, UTA is providing free 90-day 'fraud monitoring' (not full credit reports), and no disciplinary action has been taken against the lecturer who lost the data." In situations like this, what can a student do when a large institution loses critical private information, makes only a token effort to fix the problem, and lets the people involved continue in practices that may make a similar, or more serious breach occur in the future?

"The data was not encrypted. The lecturer in question is one of the CS faculty at UTA who all conveniently guarded one another, so I guess I shouldn't expect more from him in that area. More importantly though, no one should have had this data on their personal computers, and Social Security numbers should not have been included at all. Furthermore, even without the concern of theft, I seriously question the need for years-old private student data. It is suspicious at the very least.

The UTA PR department is already trying to bury the issue with vague claims of new efforts to hire a system-wide CIO who would be responsible for all 15 UT system campuses. The lecturer in question responded to the student newspaper with 'no comment' each time they attempt to interview him.

I feel like the university should do more, including seeking disciplinary action against all involved. What can I do, short of keeping an eye on my credit and letting the school get away with yet another blunder?"

cancel ×

53 comments

Obviously (4, Funny)

Rob T Firefly (844560) | more than 7 years ago | (#16855048)

Give them fake info when you sign up to college. As an added bonus, you'll never have to pay off that student loan.

Only downside is eventually having to explain the diploma in the name of "Nospamplease Fuckoff" proudly displayed on your wall.

Re:Obviously (0)

Anonymous Coward | more than 7 years ago | (#16856012)

Only downside is eventually having to explain the diploma in the name of "Nospamplease Fuckoff" proudly displayed on your wall.


No problem. "I had my name legally changed when I moved to Bangalore to be an offshore contractor."

Easy (0)

Anonymous Coward | more than 7 years ago | (#16855056)

You do the same thing the rest of us do when companies that we've never heard of before compromise our privacy. Nothing. Oh, sure, you should monitor your credit report, and keep a sharp eye on your credit card statements and bank statements. On the whole, there isn't much you can do. Good luck!

Re:Easy (1)

cooley (261024) | more than 7 years ago | (#16855510)

First off, I'm not a lawyer and I don't even play one on TV.

If you can afford a lawyer, I'd file a civil negligence suit against the lecturer and the school. Don't ask for "eleventy billion dollars" or anything that would make you out as somebody looking to score an easy buck; rather, ask for an amount that would cover your legal costs and time (as well as any real damage caused by the theft) and ask for real assurances that it won't happen again. If you know several people involved, share the lawyer expense and try to get a "class action" suit (if that's possible; I dunno).

Remember, a civil trial rests on "preponderance of the evidence" (as opposed to the higher "reasonable doubt" standard of the US criminal courts) and it's easier to win. If you can show that they grossly mishandled the data, especially if they already had policies to prevent this, and even more especially if the policy wasn't being enforced at all, you should be able to strike some fear into them.

When you provided your data to the school, you had a reasonable expectation that they'd take reasonable measures to protect it. That's not what happened.

I have a strong distaste for our "sue happy" society, but some people and organizations are so lame (and so unafraid of the consequences) that the only way to wake them up is to hit them in the pocketbook, or at least make them afraid of a huge hit to the pocketbook.

At best, you'll get some cash and feel a little better about the security of your data. At worst, you'd hope the school will be "called out" and maybe be forced to fix some of the stuff they're doing wrong. If the lawsuit scares them, maybe they'll ditch (or at least discipline) the lecturer, and at the very least they'll hopefully shore up their policies.

Why do professors need SSN? (3, Insightful)

kabocox (199019) | more than 7 years ago | (#16855072)

Um, Joe Random PHd Professor should only need your name and student ID number, which shouldn't be your SSN. I'd be more ticked off that the university was handing out your SSN to all the professors of the classes that you've taken. I wouldn't trust my major field advisor, I wouldn't trust many general ed. professors that I had to take. They don't need that information. They need your name and a university assigned ID number. Only a few people in admin. really need your SSN and they should be able to look it up by your Student ID number.

Re:Why do professors need SSN? (1)

MindStalker (22827) | more than 7 years ago | (#16855770)

Exactly, firing the professor? What for. It is the responsibility of IT to make sure there is a responsible security policy. If the general policy is to give the professors all this information on a laptop that they carry around its bad IT policy. Yes the professor lost a laptop, and maybe he should have to pay for it, or whatnot, not really your call, and a whole different issue.

Re:Why do professors need SSN? (1)

LurkerXXX (667952) | more than 7 years ago | (#16855892)

The sad thing is, this was a CS professor. If anyone should realize they should have that stuff in an encrypted file/partition, it's a CS professor.

But you are exactly right, they should never use SSNs as student ID's, and there should be an IT policy to keep that stuff encrypted for all the other professors in other departments who are unlikely to be as clued in to computer security as this CS professor SHOULD have been.

Re:Why do professors need SSN? (1)

maxume (22995) | more than 7 years ago | (#16856168)

It isn't even people that need your SSN if you want to get pedantic, it's certain processes(or maybe some better word...).

Re:Why do professors need SSN? (1)

toddbu (748790) | more than 7 years ago | (#16856574)

Having taught in college myself, I never liked having student SSNs which was used as a student ID. In fact, I was pretty unhappy that my campus ID badge had my SSN printed boldly on the front. After someone lifted my credit card info and ran up a bill for $15K, I started my cleanup of private information. I sent an email to HR and asked them how I could get my SSN removed from my ID. They issued a new number and then I picked up my new ID at the campus security office. At some point they realized the risk and issued new IDs for everyone. It's just sad that anyone ever thought that an SSN would make a good ID.

Re:Why do professors need SSN? (0)

Anonymous Coward | more than 7 years ago | (#16856736)

So, write your legislator(s) and demand that they change the law in your sorry state. One model is the California data security disclosure law:

http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351- 1400/sb_1386_bill_20020926_chaptered.html [ca.gov]

Adding some teeth to it, like credit monitoring, or penalties would help people like you.

Like another poster said, get the students in an uproar...

Re:Why do professors need SSN? (1)

kenneth_martens (320269) | more than 7 years ago | (#16857426)

I'd be more ticked off that the university was handing out your SSN to all the professors of the classes that you've taken.

It's worse than that. I'm currently a UTA grad student. Until this year, UTA student IDs were the same as your SSN, unless you specifically requested a different number. Starting in the summer session of 2006, all new student IDs are now a 10-digit number unrelated to your SSN. So until this year, UTA professors had to have access to SSNs because there was no other way to do it. Don't blame the professor here. I think the blame lies squarely with the university administrators.

Re:Why do professors need SSN? (0)

Anonymous Coward | more than 7 years ago | (#16860262)

So until this year, UTA professors had to have access to SSNs because there was no other way to do it. Don't blame the professor here. I think the blame lies squarely with the university administrators.

Ugh. Having to access the SSNs for some purposes and actually storing them plaintext on the hard drive of your personal computer are two completely different things. This is a CS professor, and you are a CS grad student, and you both should know better.

Sure, the IT department and admin are stupid for using SSNs in general, but he shouldn't have stored ANY student information (it wasn't just SSNs) on a personal machine for 6+ years. Even now that the IT/admin is stopping the use of SSNs for student ID numbers, he still would have done that. He has no business with my e-mail address, grades, or anything after the semester is over, and he has no business at all storing them at home. And unencrypted! He should never be allowed to teach a CS class again!

Well, knowing Springston, and knowing how bad the CS department is at UTA (Rethard, Springston, ... need I go on?) I guess I shouldn't be surprised. I want him to be made into an example, but I'm sure that nobody at UTA has the balls to do it. One more notch down for the reputation of the university that is printed on my degree.

Re:Why do professors need SSN? (1)

Anthracks (532185) | more than 7 years ago | (#16857632)

I think they are VERY, VERY slowly changing it, but at my University it was your student ID number. You could go through an overly complicated process to change it to a randomly assigned number, but that was 100% guaranteed to screw up your financial aid, course registrations, etc. so no one did it. Absolutely moronic system, but that's kinda the school's hallmark.

Re:Why do professors need SSN? (1)

Kamots (321174) | more than 7 years ago | (#16860398)

I attended this school and had this professor.

Anyways, to address your concerns...

The school had until very very recently (ie, '06 I think) had the standard practice of using SSNs as student IDs and made it a rather difficult prolonged process to get an alternative ID (I know, I tried, I gave up). This would be why SSNs are included in the stolen records. Blame the school in this case, not the prof.

Additionally, from my understanding, professors are supposed to be keeping grades for at least 5 years following the course. So again blame the school, (or the state, or feds or whoever).

The data should have been encrypted though. Knowing the prof, I'm really surprised that it wasn't, as he was one of the profs that I really respected.

As for the schools response? Very shortly after the theft they had the local news stations make announcements regarding the theft and directing affected people to thier online information and assistance, then they sent out letters to every individual affected.

I would hope that the school would implement policies that would ensure that all future data will be stored encryped for the future though. No mention of anything yay or nay along these lines though. However, they have provided more in the way of help dealing with the situation than many of the data theft situations we've heard about in the recent past.

As for the person making the post... he sounds like someone that has something against the prof and is abusing slashdot :/ I mean, "The lecturer in question is one of the CS faculty at UTA who all conveniently guarded one another"... seriously... this is a little bit too tin-foil hattish; and complaining that he didn't give a comment to (a rather bad) school paper as a reason to publically shun him?

My personal opinion after having had this prof for 3 courses, is that if any prof would have worked hard to make sure that students were notified and a proper followup was taken it would have been him. I have a lot of respect for the guy. He's one of the few profs I've had in my 7 years of schooling that really knew his material, admitted when he didn't know something, and treated his students with respect.

Re:Why do professors need SSN? (0)

Anonymous Coward | more than 7 years ago | (#16876276)

I'm the submitter. My wording was changed from the original submission, so not everything I said was communicated properly.

I had one course with this professor, and I made an A. I never had a personal confrontation or issue with him, but I stand firmly behind my judgment that he wasn't qualified to teach a CS course. As someone who had professional experience in the field before entering the program, I felt like a wasted my money on the course and, in the end, the program (I switched majors later on). I think that Mr. Springston is a nice guy, but he does not understand certain basic things that should be prerequisites for a degree in CS (and he is teaching it!).

I also felt like there was a certain atmosphere of protection in the department that made it difficult to complain about these things. I don't think that is "tin-foil hattish" since it is often the case in any organization.

Of course I blame the school for using SSNs for student ID numbers. However, I blame Mr. Springston for storing them insecurely and on a personal computer.

I think he should resign or be fired. Like I said, he's a nice guy, but this completely avoidable incident (especially by somebody who is supposed to be versed in the art) was the straw that broke the camel's back -- at least for me.

Re:Why do professors need SSN? (0)

Anonymous Coward | more than 7 years ago | (#16861050)

But what if there were two "akmed ali massad"s in the class. Both from the same genioligcal background so they look alike too. The only way to tell them apart might be the social security number. The one ending in xxx-xx-1234 would be number one and the one ending in xxx-xx-1235 could be number two.

Re:Why do professors need SSN? (1)

kenb215 (984963) | more than 7 years ago | (#16862954)

A SSN wouldn't be needed for that. Just assign both of them a different student ID number when they applied/were accepted. Everything outside of financial aid should use that number instead.

Re:Why do professors need SSN? (1)

charlesnw (843045) | more than 7 years ago | (#16861896)

I believe the universitys are forbidden by law to use your SSN as an identifier. I know the ones in California are. Well at least the community college system I took a few courses at was.

That's all? (1)

onecheapgeek (964280) | more than 7 years ago | (#16855130)

It's a hell of a lot more than most places do when this sort of data is breached.

Short of screaming and crying at the top of your voice, there is nothing you can do.

Re:That's all? (1)

gurps_npc (621217) | more than 7 years ago | (#16855432)

You can ALWAYS sue.

Whether it will be worth the time and money involved, well, that is another question.

My first thought? (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16855184)

Blame the Jews.

IANAL but... (2, Insightful)

rueger (210566) | more than 7 years ago | (#16855210)

... would suggest that you hire a lawyer. You can bet that the college did.

Re:IANAL but... (2, Informative)

MBCook (132727) | more than 7 years ago | (#16855284)

I agree, see if you can get a case. See if you can get it class action. Breach of privacy, lack of due diligence, there has got to be more than a few regulations that were broken. When I worked as a student aid at my college I had to sign paperwork and read some laws about how to handle student data to prevent all this kind of stuff. He should be liable under those laws (as should the school).

I'm not a lawyer, but I bet you can find one that will take your case.

School respond to two things: lawyers and money. You don't have enough of #2 (you can't with hold your yearly $10,000,000 donation) so #1 is your only hope.

Re:IANAL but... (1)

Pulsar (4287) | more than 7 years ago | (#16858564)

I think this is a great idea; check out my comment below, http://yro.slashdot.org/comments.pl?sid=206648&cid =16858478 [slashdot.org] - UTA knew about the dangers, and had accidentally posted student's social security numbers on the Internet in the past. I think there's grounds for a lawsuit, and as someone who had been asking UTA to stop using his social for years, I would join a class action lawsuit if someone organized such a suit.

Re:IANAL but... (1)

rueger (210566) | more than 7 years ago | (#16855972)

Let me add that the point in seeing a lawyer is not just to punish the college for what has happened, but to make sure that you cover your bases in case you suffer damage weeks, months or years down the road.

If, a year or two from now, a mortgage default suddenly appears on your credit report you need to be sure that you can take that back to the college, not have them wiggle out of liability because you did something wrong in the interim.

Write a letter to the Student Newspaper (1)

Marxist Hacker 42 (638312) | more than 7 years ago | (#16855212)

Blow the issue wide open by writing a letter to the editor of the student newspaper- get the students to lobby about the issue, and the school will be forced into doing the right thing just to avoid mass walkouts of classes or rioting near the admin building.

Re:Write a letter to the Student Newspaper (1)

Odin_Tiger (585113) | more than 7 years ago | (#16855350)

Rioting? That is so last generation. These days, we blog. Get a blog about this issue in the first 10 results of a Google search for UTA, University Texas Arlington, etc., and see how long it takes for the Registrar's office to start raising hell when 1 of every 2 or 3 potential new students wants to know what has been done about the recent privacy breach.

Didn't read the summary (1, Funny)

nacturation (646836) | more than 7 years ago | (#16855304)

Poorly handled data theft? If they did it so poorly, perhaps you could contact them and provide them with all of your personal information so they're not missing any vital parts. Make sure to chastise them so that next time, they steal data with more care.
 

Response (0)

Anonymous Coward | more than 7 years ago | (#16855344)

Proper response depends upon school details. If no harm comes to you (e.g. your identity is not stolen), then there is no significant legal recourse. Does the school offer free legal counsel? There may be enough of a case to harass someone in this way.

Does your school have an honor court? Mine did. Though it was usually used for accusations of cheating, it could be used to lodge complaints about a teacher's practices.

Does your school have a petition process? My school also allowed students to petition the school for poicy changes and specific exceptions for unusual situations. For example, if a student lost both parents in a car accident, that student may be able to petition to withdraw from the semester of school even if it was beyond the normal witdraw deadline. That means the student may be eligible for a full or partial refund and/or will not automatically fail the unattended classes.

possible actions (3, Informative)

Red Flayer (890720) | more than 7 years ago | (#16855420)

Not to be a pedant, but...
What can I do, short of keeping an eye on my credit and letting the school get away with yet another blunder?"
I don't think you want to do something "short of" that... I think you want to do something more than that ("long of"?).

Seeing as most of the administration sees information loss as nothing more than a potential liability to them, you need to make it clear to the University top administration that this gaffe is totally unacceptable. They need to understand how bad this is -- and that it will affect their alumni fund drives.

I'm assuming that you're fully aware of the potential problems, and how serious they are (why else would you be asking the question). You need to inform the administration, by letter (make sure you cc: your local newspapers and television station(s), and follow up with them to try to get somre more negative publicity for the U), just how serious it is.

One other thing you can do (from an OU mishap [merit.edu] ):
One resourceful alum dispensed with hints, threats and allegations, and simply billed OU for the time she spent checking her credit status. Calling the university "fully liable" for her outlay of time, she e-mailed an invoice for three hours of work at her "usual billing rate" of $165 an hour.

In its latest response, OU Legal Affairs Director John Burns has contacted the firm the woman works for, asking for confirmation of her hourly rate.

Re:possible actions (0, Flamebait)

Paracelcus (151056) | more than 7 years ago | (#16857300)

A computer science professor thats too god damned stupid to use an encrypted filesystem?
Seems about right, don't it?

(Drool, stammer, cough) Ah did'n know ah cud doo dat, `cuz ahm a PHd... ;-)

Re:possible actions (0)

Anonymous Coward | more than 7 years ago | (#16859298)

The only way to prevent this for the future is to lobby for some proper privacy and data retention laws. As long as anyone is allowed to store and sell any data he gets his hands on, without even so much as a slap on the wrist if any of it gets stolen and damages actually occur, there's no incentive whatsoever to guard other people's private data. Worse, selling it is a potential source of income.

publich the presidents & regents SS numbers (3, Interesting)

peter303 (12292) | more than 7 years ago | (#16855798)

Tit for tat.
If they are that sloppy, then these numbers should be easy to get. And it "cant be wrong" because the administration let your number get out.

Common sense (2, Insightful)

uab21 (951482) | more than 7 years ago | (#16855860)

I'm waiting for the inevitable "You shouldn't do any business with those careless assholes! Transfer immediately!" replies. Unfortunately there doesn't seem to be anyplace that actually implements indentity security correctly (Thanks USGov/Financial System/Educational System for making the sole key to my identity something anyone can find out for $19.95 or less!). If you're really concerned, pay for a credit monitoring service yourself. Chalk it up to yet another random fee that you have to pay to get an education.

Figure out what you want and then ask for it (2, Insightful)

Slashdot Parent (995749) | more than 7 years ago | (#16855902)

What, exactly, do you want the school to do? You keep asking for more, but you don't mention what.

The professor can't retroactively encrypt the data, nor can anybody unsteal the computers that contained it.

The only thing you mention is that you want to see the professor disciplined. Will this bring your data back? Will you benefit from the discipline of a professor whose class you took years ago?

What more do you want the school to do for you? You mentioned that you felt 90 days of credit monitoring was insufficient. Of course, now you can personally monitor it yourself [annualcreditreport.com] free of charge.

Just decide what it is you want and ask the school for it. You never know. If your request is reasonable, you just might get it.

Re:Figure out what you want and then ask for it (1)

mrchaotica (681592) | more than 7 years ago | (#16857508)

One answer to that would be "to make sure it doesn't happen again in the future." The best way to ensure that is to make sure all the other professors know that they'll be fired (regardless of tenure) if they do such a thing in the future, and the only way to demonstrate that is by firing this professor now.

Re:Figure out what you want and then ask for it (1)

onecheapgeek (964280) | more than 7 years ago | (#16858040)

One answer to that would be "to make sure it doesn't happen again in the future." The best way to ensure that is to make sure all the other professors know that they'll be fired (regardless of tenure) if they do such a thing in the future, and the only way to demonstrate that is by firing this professor now.

You really don't know how it works, do you? It is NEARLY impossible to fire a tenured professor. In fact, in order to fire this one, he would have to be actively using or selling the SSNs.

Even worse, You may not be able to immediately fire an untenured professor for this, depending on how the contract with the union is written. In either case, I suspect you can't do anything to someone for having something stolen from their home.

Yes, the data security was very lax there, as it is at ALL major institutions, regardless of type. In fact, most universities have very good systems in place compared to, say, the military. You have probably heard of some of those cases, like that famed British hacker who hit 'Enter' at the password prompt [securityfocus.com] and now faces hacking charges?

Re:Figure out what you want and then ask for it (1)

mrchaotica (681592) | more than 7 years ago | (#16871642)

You really don't know how it works, do you? It is NEARLY impossible to fire a tenured professor. In fact, in order to fire this one, he would have to be actively using or selling the SSNs.

No, I don't care how it works. I care about how it should work, and how it should work is that no amount of tenure or anything else should excuse someone from committing gross negligence such as this!

It is a violation of FERPA (4, Informative)

Seraphim_72 (622457) | more than 7 years ago | (#16856030)

Though usually seen as a law regarding the voluntary violation of privacy I wonder if you couldn't get it to work in this case as well. One of the rules for FERPA [ed.gov] is that
A school MAY disclose education records without consent when: * The disclosure is to school officials who have been determined to have legitimate educational interests as set forth in the institution's annual notification of rights to students;
Now IANAL but I would bet at no point did the school ever tell you that instructors got to get your SSN. More over I bet that they ever told you they get to retain that data either. Plus, one of the rules is that the person recieving the data must be getting it for a legit reason (like it being your ID number). I can tell you this though - I work at a college in a small IT Dept, we get 2 yearly lectures about student privacy, because of FERPA. I say write the FERPA people about it, you have never seen an Institute of Higher Ed move faster than when the Feds show up and start talking funding.

Sera

Re:It is a violation of FERPA (1)

macdaddy (38372) | more than 7 years ago | (#16856874)

Especially because the penalties include 1) loss of all Federal funding, 2) fines, and 3) jail time. I spent many years working for state institutions. I guarantee that they'll take a FERPA threat seriously.

Possible responses (1)

rlp (11898) | more than 7 years ago | (#16856590)

Looks like you've tried going through 'normal channels'. Since that's not working, escalate. Move up the chain - try the University ombudsman (if there is one) and even the President of the University. Write a nicely worded letter, describing the problem and explaining what actions you want taken.

If that doesn't work, you have other options. Organizations respond to three things:

1) Threats to their existence
2) Threats to their finances
3) Threats to their reputation

As for item 1 - I'm not referring to nuking them from orbit. I presume they're a public university and as such answer to the legislature. The legislature is ultimately responsible for their funding and indeed their continued operation. You can contact your state representatives or perhaps your state education department with complaints.

As for finances - again, there's the legislature and also alumni groups (some of whom may be affected by the security breach) can bring pressure to bear.

Finally - reputation: you've already posted to Slashdot. Someone suggested blogs. There's also 'old media' - TV ('action lines'), newspapers, etc.

Why give them your SSN? (2, Insightful)

TheCabal (215908) | more than 7 years ago | (#16856704)

This is exactly why I don't give my college my SSN. Data theft from schools is becoming way too common for me to be comfortable. Colleges don't need your SSN, they use it as a convienent way to generate your StudentID. Most colleges accept out-of-country students, who don't have SSNs, and have a system for generating StudentID numbers for them. My college gives me the option to use either my SSN or have a number generated for me, you can guess which one I chose.

Seriously. Nobody but your bank and employer need your SSN, and it's not supposed to be used for non-Social Security identification purposes anyway. Why people insist on using it as such, and why people still freely give it away just boggles my mind.

Re:Why give them your SSN? (1)

wiz31337 (154231) | more than 7 years ago | (#16857038)

AMEN! Mod parent up!!!

Re:Why give them your SSN? (1)

DesertBlade (741219) | more than 7 years ago | (#16857666)

If you are receiving any financial aid they will need your SSN to tie in the award to the student taking classes. I used a generated SSN at first but then I started to receive FINAID and had to give up my real one.

The instructor still didn't need the information to conduct his daily business.

Re:Why give them your SSN? (1)

cr0sh (43134) | more than 7 years ago | (#16871072)

The way to do this on forms you are given when there is no instruction otherwise (such as calling somebody to explain the situation) is to write on the form where it asks for the SSN the words "PLEASE ASSIGN" - in some manner (depending on the process), this will flag the form, and the number will be assigned by the system ("system" here meaning the people handling the document and computer processing systems involved).


Do this anywhere on forms you know don't need an SSN - typically anything not being used for money handling (thus, you need to give your SSN to credit lending institutions, and your employer - but not employer-provided insurance, excepting life insurance, of course).

UTA Knew About Data Security Problems, Did Nothing (3, Informative)

Pulsar (4287) | more than 7 years ago | (#16858478)

Ahh, UTA. My bittersweet alma matter. Had some great times there, and some really frustrating times.

Perhaps the most frustrating was when my name, phone number, dorm room number and Social Security Number were PUBLISHED ON THE INTERNET. This was in Feb 2003. The university was notified, they eventually took down the webpages that had been indexed by Google (searching for someone's name who lived anywhere on campus at UTA resulted in their social security number popping up in a result on Google. How handy!) and they engaged in massive spin-control.

After it happened, it became fairly public knowledge that UTA used your social security number as your student id, and that your student id was actually encoded in plaintext on your student id card. Lose your student id card, lose your social security number.

The University of Texas System made some system-wide rules after another data security incident occurred shortly thereafter at the University of Texas at Austin. Schools were no longer to release social security numbers to professors, since they had no need for it, and all schools in the UT System were to stop using social security numbers as identifiers within a year or two. This deadline was continually extended, until they finally set it at September 2007.

UTA knew that too many people had access to students social security numbers; indeed, the school newspaper has over 92 articles concerning the school's use of social security numbers, the questionable legality of such use and the dangers (ref.: http://search.yahoo.com/search?p=social+security+n umber&vs=www.theshorthorn.com&fr=yscpb&fr=yscpb [yahoo.com] )

My social was also one of the ID #'s that were stolen in this theft. I too, was appalled at how UTA handled this. Originally, the notification on UTA's website said that the Office of Information Technology would have a form you could fill out giving them your email address and asking them to check if you were affected; the notification was later edited to say that you must call the University's registrar's office and update your address, email address and phone number if you wanted them to contact you - clearly an effort to update the records of the Office of Development so that they could get your current address to begin spamming you about their new fundraising campaigns. And the "discounted" identity monitoring service...from a company I've never even heard of? Nice, UTA. Makes me so proud to call UTA my alma matter.

I honestly think there's enough here for a lawsuit, and would love to participate in it. Anyone heard anything about a suit, or considering one?

Re:UTA Knew About Data Security Problems, Did Noth (0)

Anonymous Coward | more than 7 years ago | (#16861732)

I'm the submitter, and I'm interested in finding a lawyer who would take this on pro bono. I'm probably going to try and call a few local offices this week/next week to see if anybody is interested.

E-mail me at kcirtemosi gmail com if you'd like to hear about any results. I can't promise anything, but I'm at least going to try. I hate how this crap devalues my diploma. Any help would be appreciated.

First, watch a movie... (0)

Anonymous Coward | more than 7 years ago | (#16860568)

..You need to watch or re-watch Animal House. Now, do what you think those guys would do... or you could just start a class action lawsuit, negligence, etc. Those are your options.

credit agencies are at fault here (2, Insightful)

epine (68316) | more than 7 years ago | (#16862704)

The fundamental problem here is the credit reporting system itself. I suppose after being subjected to the education system for twelve to twenty years or so, that learned helplessness with respect to the contents of a report card or GPA is deeply engrained.

The contents of the average credit report amount to unsubstantiated slander. It's tremendously easy for smudges to accumulate, with little effective recourse. In any other life circumstance, the same poor, fragmentary, and unsubstantiated quality of information about a person's status and character would be open to action as libelous.

I think the credit reporting agencies should be made libel for reporting negative information about any person as a result of criminal credential fraud. Even our terminology is wrong: we are talking about the theft of credentials not personal identity. An identity can't be stolen. Only the credentials are subject to third party manipulation. The institutions who choose to accept credentials as evidence of an identity should be prepared to bear the cost of their own mistakes.

And the worst of it is that our existing credentials are designed by baboons. It's not humanly possible to protect credentials you hand to every teenage till monkey five times a day.

We all know the truism that when you hear one person criticize another, it says as much about the person making the criticism as it does about the person being criticized. Yet the credit reporting agencies are somehow given a free pass which I've never understood. Might it be that a bad credit report reflects bad credit reporting practice? I guess we're so overwhelmed by our powerlessness in that relationship (my god, even more powerful than Miss Wormwood) that you rarely hear it suggested that perhaps the credit agencies themselves are no better than ICANN or VeriSign.

I would love to see this case (1)

phorm (591458) | more than 7 years ago | (#16866644)

You actually make a very good point.

If "Credit Agency X" reports you as being unreliable due to actions "Y" and "Z", and you did not commit said actions, could that not be construed as libel or defamation?

It falls pretty damn close to the definition in Webster's dictionary of law:

Communication to third parties of false statements about a person that injure the reputation of or deter others from associating with that person

When I can't take out a mortgage because credit reporting company X has informed them I am a risk due to debt management, is that not defamation by the preceeding definition?

Push your Senator for DP laws (1)

martin (1336) | more than 7 years ago | (#16867640)

You need to push to get Data protection legislation (similar to that used in the UK/EU) to be made a Federal Law. Some states are looking into this, but basically as the law in the US stands people holding information on you (either electronic or paper) have no legal rights to look after this information in a proper way.

IMHO until this gets fixed you're with luck on any redress.

What you should really do... (1)

cr0sh (43134) | more than 7 years ago | (#16871808)

You, and many others, have been suckered into a trap, for a variety of reasons, not the least of which is "because it is the American Way!". This trap, though, is a lie, one that is perpetuated and handed down through the generations from parent to child, with little questioning done by either side as to whether it is right and helpful, or wrong and harmful, to the individuals practicing it. It is foisted on the American public by large institutions out to get our dollars at every turn, and in return, these same institutions promise us minor "blessings".


I bet you are now thinking "is he yammering on about religion?"...

No, but both religion and this trap utilize much of the same marketing, dogma, and cult-like branding, coupled with generational institutionalization, that have made each successful and entrenched within the American citizen's conciousness - and in many ways, to the detriment of progress, both physically and "spiritually". The trap is known as "credit", and is one that each and every one of us should steer clear of, as much as possible.

For now, you need to do everything you can to break the cycle, starting with getting your SSN disassociated amongst the various databases. Be glad in the knowledge that the dimwits behind these systems couldn't normalize themselves out of a paper bag, thus, over time, your old data can become obfuscated amongst the new, as long as you sever the link soon. Do so, first, by marking all forms in the future not having to do with credit with "PLEASE ASSIGN" in the SSN field. Next time your medical insurance is up for renewal, do this. It isn't perfect, but it will help.

Then, work on getting out of debt: First and foremost, stop charging things on those credit cards, and start paying them off. You need to first plan and religiously stick with a budget. Know what you (and/or your SO) bring in, know where it needs to go (fixed bills, minimum payments on the credit cards, gas, food, rent, utilities), then figure what you have left over as "discretionary spending dollars". Hopefully, the chunk will be pretty huge. If it isn't, you are living at the edge and need to back off to something more realistic if you can. If you can't, you will need to get a second job (or earn money some other way). If the chunk is zero or negative, you are living beyond your means (idiot)! Back off immediately. Once you have some known discretionary income worked out on your budget sheet, apply a large portion to paying off the credit card with the lowest balance. Once that is done, increase the payment amount by a small percentage (1-5%), and apply that payment to the next highest balance card. Keep doing this until you have all of your cards paid off, and they are all cut up and not used. When you have them all paid off, start putting that last amount into a savings account or IRA (or some other savings instrument). Build up your savings, and the rest of the time, live off what your make (within your budget). Shun credit (with the exception of a mortgage - because while a mortgage is still credit, provided that the mortgage is fixed-rate and has a low APR, your property value should increase faster over the long term - 30 years - than the interest on the mortgage - you might also double up on payments with some of the extra money after paying off the credit cards, and reduce the principle on the loan to knock the interest back even more). Make your cars last a long time - drive them into the ground, then once they are dead, purchase a used car with cash.

Know this: when you owe money to somebody else, you are a debt slave, ultimately. If you can drop these shackles, you will have less worry and more time. Hopefully, at some point, you can use this newfound freedom and knowledge of you money to move you and your family into a more comfortable setting, and rent out the house you may have (make the property work for you, not against you) to cover it's mortgage (you can almost always rent a property for more than the mortgage payment - another reason why, if you are renting, you should seriously look into buying a house or some property).

I found all of this out much later than you are. My wife and I still have some credit card debt (but it isn't a lot), and we have a mortgage (fortunately, a low, 30 year fixed APR), but we own all three of our vehicles free and clear, and we have a bit of savings. We are doing everything to rid ourselves of the credit debt. We buy a lot of stuff used (what passes for "used" in this country is a real laugh - I guess, in a way, I am living off other's stupidity), and we also scrounge for useable items on bulk-trash days (the amount of usable building materials - wood and steel - and fuel thrown out simply stuns me). We also fix and repair where we can, rather than buy new. If we must buy new, we do so with cash. If we don't have the cash, we do without.

This is how most of our grandparents (and some of our parents) lived, which is why in many cases they survived reasonably well during "hard times": they did without credit, they worked with what they had, and if they couldn't afford it, they did without or they used their ingenuity to come up with reasonable and working alternatives (I strongly suggest learning how to use a wide variety of tools and learning how to fix things on your own - old PopSci and PopMech magazines and "do-it-yourself" encyclopedias from the 1950's and 60's are amazing idea resources).

Trust me on this - if you take this advice to heart, and follow it properly, you will feel better in the knowledge that you and your family's financial and future security are safe, whatever life throws at you.

Worrisome? (1)

Rudolf (43885) | more than 7 years ago | (#16880232)

... perhaps more worrisome was the fact that they were the only stolen items in the incident.

So somehow you would feel better if the TV and Microwave were also stolen?
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...