Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

UCLA Hacked, 800,000 Identities Exposed

Zonk posted more than 7 years ago | from the educational dept.

Security 148

An anonymous reader writes "The Washington Post reports that a central campus database at UCLA containing the personal information (including SSNs) of about 800,000 UCLA affiliates has been compromised for possibly over a year. The data may have been available to hackers since October 2005 until November 21, 2006, when the breach was finally detected and blocked. Several other UC campuses have also been involved in significant data security incidents over the past few years." From the article: "'To my knowledge, it's absolutely one of the largest,' Rodney Petersen, security task force coordinator for Educause, a nonprofit higher education association, told the Los Angeles Times. Petersen said that in a Educause survey release in October, about a quarter of 400 colleges said that over the previous 12 months, they had experienced a security incident in which confidential information was compromised, the newspaper reported."

Sorry! There are no comments related to the filter you selected.

Whaa? (0, Offtopic)

riff420 (810435) | more than 7 years ago | (#17206778)

Is TYLER HOYT on that list? Beotch!

wow! (1)

jrwr00 (1035020) | more than 7 years ago | (#17206782)

Watch your bank accounts people this could be a long one,

800,000 people are going to be pissed as shit

Re:wow! (1)

Oddscurity (1035974) | more than 7 years ago | (#17206818)

And with good reason. This having gone undetected for a year shows there must be something very wrong with their IT department, like blind faith in their security? Isn't it reasonable to audit your systems, particularly those with sensitive information like this?

Re:wow! (1)

x1101 (935647) | more than 7 years ago | (#17206906)

apparently not to the people of UCLA. "security audit, who needs that, we have never had a break in be..Sir, someone just informed me that a large number of our student records may have been compromised"

Re:wow! (5, Interesting)

atrizzah (532135) | more than 7 years ago | (#17206850)

My name was on the list. Hooray!

I was just about to submit this story myself. Here's UCLA's official website devoted to the whole incident: Link [ucla.edu]

I wonder, will there be a point in time when we hold accountable either the credit agencies for their broken system or organizations we are forced to trust with our data for not keeping it safe?

Re:wow! (3, Funny)

voice_of_all_reason (926702) | more than 7 years ago | (#17207066)

I wonder, will there be a point in time when we hold accountable either the credit agencies for their broken system or organizations we are forced to trust with our data for not keeping it safe? Sure. But it's up to you. Here's a handy guide for redressing your grievances: http://en.wikipedia.org/wiki/Storming_of_the_Basti lle [wikipedia.org]

Re:wow! (4, Interesting)

pilgrim23 (716938) | more than 7 years ago | (#17208802)

There is only one possible way to protect yourselves these days: Lie. If someone needs your info, or SAYS they need your info ("I am sorry sir but our regulations clearly state you must fill out this form") then lie, fib, tell an untruth! For years I have always typoed a number or two on my SSN on forms, mis-spelled my name, screwed up the address, etc. I never commit outright fraud, but I DO use tecnhiques that will screw up their database. If more of us just smiled shrugged and said "oh well" to these data leeches in this simple manner, the problem would go away due to the general unreliability of the database,

Re:wow! (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17206892)

I hope this incident leads to a tasering.

Re:wow! (0, Offtopic)

riff420 (810435) | more than 7 years ago | (#17207072)

I hope this tasering leads to my balls.

Re:wow! (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17207592)

Does anyone know what's happening about that? Apparently the university has announced [latimes.com] an investigation headed by Merrick Bob, but I can't find any further info.

Re:wow! (1)

k2enemy (555744) | more than 7 years ago | (#17207320)

800,000 people are going to be pissed

especially people like me who applied to the school years ago and never attended. why are they storing SSNs of people that are not students or employees? my info should have never been in there to steal in the first place.

Re:wow! (1)

CastrTroy (595695) | more than 7 years ago | (#17207644)

Why did you give them your SSN when they had no use for it?

Re:wow! (1)

k2enemy (555744) | more than 7 years ago | (#17208368)

they did have a use for it, but after it was clear that i would not be attending UCLA they no longer had a need for it and should not have retained it.

Re:wow! (5, Insightful)

ObsessiveMathsFreak (773371) | more than 7 years ago | (#17207330)

800,000 people are going to be pissed as shit


Correction.

11 people are going to be pissed as shit.
34 people are going to panic.
72 people are going to wonder if the story is relevant to them.
284 people aren't going to realise the story is relevant to them.

799599 people affected aren't even going to hear about this, let alone care.

There is a silent majority. It's silent because its too apathetic to speak.

Re:wow! (1)

topical_surfactant (906185) | more than 7 years ago | (#17209220)

They emailed everyone they had addresses for on that list. The "I care" numbers are probably a bit higher, especially considering that many of them were graduate school applicants.

Re:wow! (0)

Anonymous Coward | more than 7 years ago | (#17209590)

They prefer the term "Retarded Majority" now.

Notification law (0)

Anonymous Coward | more than 7 years ago | (#17209614)

California has one asshat.

Everybody is required to be notified if their information has been exposed.

so..... get your fucking facts right.

Slashdot needs a -1 WRONG! moderation.

Re:wow! (1, Interesting)

Anonymous Coward | more than 7 years ago | (#17208534)

This isn't going to show up on your monthly bank statement.

Criminals typically do one of three things with a Name/DOB/SSN:

1) Try to obtain credit in your name
2) Open a bank account and use it for money laundering, bogus checks, ebay fraud, and various other scams
3) Give your info when they get arrested

1) will show up on your credit report eventually. With 2) or 3) you might not find out about it for awhile.

pwned! (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17206800)

Here's an obvious choice for the 'pwned' tag.

E-mail sent to UCLA students, faculty, and staff (4, Informative)

George Maschke (699175) | more than 7 years ago | (#17206832)

December 12, 2006

Dear Friend,

UCLA computer administrators have discovered that a restricted campus database containing certain personal information has been illegally accessed by a sophisticated computer hacker. This database contains certain personal information about UCLA's current and some former students, faculty and staff, some student applicants and some parents of students or applicants who applied for financial aid. The database also includes current and some former faculty and staff at the University of California, Merced, and current and some former employees of the University of California Office of the President, for which UCLA does administrative processing.

I regret having to inform you that your name is in the database. While we are uncertain whether your personal information was actually obtained, we know that the hacker sought and retrieved some Social Security numbers. Therefore, I want to bring this situation to your attention and urge you to take actions to minimize your potential risk of identity theft. I emphasize that we have no evidence that personal information has been misused.

The information stored on the affected database includes names and Social Security numbers, dates of birth, home addresses and contact information. It does not include driver's license numbers or credit card or banking information.

Only designated users whose jobs require working with the restricted data are given passwords to access this database. However, an unauthorized person exploited a previously undetected software flaw and fraudulently accessed the database between October 2005 and November 2006. When UCLA discovered this activity on Nov. 21, 2006, computer security staff immediately blocked all access to Social Security numbers and began an emergency investigation. While UCLA currently utilizes sophisticated information security measures to protect this database, several measures that were already under way have been accelerated.

In addition, UCLA has notified the FBI, which is conducting its own investigation. We began notifying those individuals in the affected database as soon as possible after determining that personal data was accessed and after we retrieved individual contact information.

As a precaution, I recommend that you place a fraud alert on your consumer credit file. By doing so, you let creditors know to watch for unusual or suspicious activity, such as someone attempting to open a new credit card account in your name. You may also wish to consider placing a security freeze on your accounts by writing to the credit bureaus. A security freeze means that your credit history cannot be seen by potential creditors, insurance companies or employers doing background checks unless you give consent. For details on how to take these steps, please visit http://www.identityalert.ucla.edu/what_you_can_do. htm [ucla.edu] .

Extensive information on steps to protect against personal identity theft and fraud are on the Web site of the California Office of Privacy Protection, a division of the state Department of Consumer Affairs, http://www.privacy.ca.gov [ca.gov] .

Information also is available on a Web site we have established, http://www.identityalert.ucla.edu [ucla.edu] . The site includes additional information on this situation, further suggestions for monitoring your credit and links to state and federal resources. If you have questions about this incident and its implications, you may call our toll-free number, (877) 533-8082.

Please be aware that dishonest people falsely identifying themselves as UCLA representatives might contact you and offer assistance. I want to assure you that UCLA will not contact you by phone, e-mail or any other method to ask you for personal information. I strongly urge you not to release any personal information in response to inquiries of this nature.

We have a responsibility to safeguard personal information, an obligation that we take very seriously.

I deeply regret any concern or inconvenience this incident may cause you.

Sincerely,

Norman Abrams, Acting Chancellor

This is an automated message regarding the recent identity alert at UCLA. We're sorry, but we are unable to respond to emails. Please do not reply to this email. If you have questions or concerns and would like to speak with someone, please call (877) 533-8082. For additional information and steps to take, please go to the dedicated website at http://www.identityalert.ucla.edu [ucla.edu] .

Re:E-mail sent to UCLA students, faculty, and staf (1)

Chabil Ha' (875116) | more than 7 years ago | (#17206902)

A security freeze means that your credit history cannot be seen by potential creditors, insurance companies or employers doing background checks unless you give consent.

Gee, it isn't that way by default? I would expect that that information too would be safeguarded...

What are the credit implications for placing a freeze on that information? Does it affect credit scores in any way? If not, I would like to place one on my own, just for fact that I don't want anybody looking at that information without my consent...

Re:E-mail sent to UCLA students, faculty, and staf (1)

Lloyd_Bryant (73136) | more than 7 years ago | (#17207880)

A security freeze means that your credit history cannot be seen by potential creditors, insurance companies or employers doing background checks unless you give consent.

Gee, it isn't that way by default? I would expect that that information too would be safeguarded...


Nope. Unless you've specified such a freeze, anyone who has subscribed to the credit bureau can see your credit history. Credit card companies routinely scan such histories to determine who to send those unsolicited "You have been approved for ..." mailings. Employers routinely check such histories before hiring (on the assumption that a bad credit history = an unreliable person). Apartments routinely check such histories before renting to a person.

I wouldn't be a bit surprised to find out that con artists are accessing these credit histories to find suitable victims. All that such a criminal would need is an inside contact with a subscriber...

Re:E-mail sent to UCLA students, faculty, and staf (3, Insightful)

Beryllium Sphere(tm) (193358) | more than 7 years ago | (#17209002)

Yes, should be the default, but you can't even get a security freeze unless you live in a state that forces the credit bureaus to do it. California is one.

It should be illegal to treat the SSN as proof of identity anyway. What kind of password has the following properties?
o Less than a billion possible values
o Part of it based on your place of birth
o You're required to disclose it to dozens or hundreds of places
o Any credit-granting company can order a report and look at it
o It never changes

Re:E-mail sent to UCLA students, faculty, and staf (2, Insightful)

lawpoop (604919) | more than 7 years ago | (#17207060)

"I regret having to inform you that your name is in the database."

He regrets having to inform us, not that they were hacked.

Re:E-mail sent to UCLA students, faculty, and staf (2, Interesting)

thePowerOfGrayskull (905905) | more than 7 years ago | (#17208084)

"I regret having to inform you that your name is in the database."

He regrets having to inform us, not that they were hacked.
For that matter, he doesn't even regret that your name was in the database -- only that he has to tell you about it.

Liked this quote (1)

Gription (1006467) | more than 7 years ago | (#17209512)

The line I liked best was the last line of the second paragraph, "I emphasize that we have no evidence that personal information has been misused.

The line doesn't add anything except the realization that they are trying to cover their ass. Of course they don't have any evidence of what the intruder did with the data.

They do have proof of misuse though... Unauthorized access is misuse!

Re:E-mail sent to UCLA students, faculty, and staf (0)

Anonymous Coward | more than 7 years ago | (#17210008)


UCLA computer administrators have discovered that a restricted campus database containing certain personal information has been illegally accessed by a sophisticated computer hacker.


they incorrectly spelled "due to incompetent administration of the database used to house all this information."

that's right, personal responsibility is for everyone else.

i'm sure this hacker will be code named "keyser soze" before this is over - he was obviously an computer guru with einsteinian intellect to outsmart the "geniuses" over at ucla.

okay, this is a bit harsh and my words may well be one day cut and pasted and used against me, however, 1. i will actually feel bad should others lose out b/c i wasn't on my game and 2. they better tell others what this flaw was so others can avoid being attacked. if they don't - you can believe administration messed up badly.

Re:E-mail sent to UCLA students, faculty, and staf (1)

neoshmengi (466784) | more than 7 years ago | (#17210560)

You may also wish to consider placing a security freeze on your accounts by writing to the credit bureaus. A security freeze means that your credit history cannot be seen by potential creditors, insurance companies or employers doing background checks unless you give consent.

Why isn't this automatic? Nobody should have the ability to check someone's credit without their consent. It should be the 'default' setting.

One way to help protect... (3, Insightful)

s31523 (926314) | more than 7 years ago | (#17206840)

When I was in a U.S. college, albeit a long time ago i.e. before Patriot Act and 9/11, I had the choide to use a random number as my student ID rather than my social security number. I remember hearing that the soc. security number is(was? pre 9/11) only required for social security and tax purposes. I think more places should start using other numbers. Although this wouldn't solve hacked identity theft, it is one less piece of information that the hackers get...

Re:One way to help protect... (2, Interesting)

denebian devil (944045) | more than 7 years ago | (#17206914)

When I was in a U.S. college, albeit a long time ago i.e. before Patriot Act and 9/11, I had the choide to use a random number as my student ID rather than my social security number. I remember hearing that the soc. security number is(was? pre 9/11) only required for social security and tax purposes. I think more places should start using other numbers. Although this wouldn't solve hacked identity theft, it is one less piece of information that the hackers get...
Except that would just mean that when the hackers get their spreadsheet full of information on 800,000 people, they just have to remember to look to the "SSN" column instead of the "Student ID" column to get the information they want. The school will still collect your SSN whether they use it as your ID or not. The question merely becomes whether it is your SSN or some randomly generated number that they put on your ID card.

Re:One way to help protect... (3, Interesting)

s31523 (926314) | more than 7 years ago | (#17207008)

I actually refused to give my social security number to the school (again this was pre 9/11 and Patriot Act) because when I asked why they needed it they said for administrative purposes only. After my unwillingness to give it up they said, "well sir, we can assign you a generic ID number, but that will be really hard to remember and most students choose their soc. number because they can remember it. Are you sure you want to do this?". So, in my case the soc. sec. column had a generic number (which was 11 digits, instead of 9).

Re:One way to help protect... (1)

CastrTroy (595695) | more than 7 years ago | (#17207770)

I don't see the argument for it being too hard to remember. Mind you, my student ID number was 7 digits and not 11, but having to remember an 11 digit number isn't that bad. It's no longer than a phone number with area and country code. Having to write my student number on every assignment, and test helped me remember my student number quite quickly. Although I could see them needing the social security number for tax purposes as tuition fees are tax deductible, at least in Canada.

Re:One way to help protect... (0)

Anonymous Coward | more than 7 years ago | (#17207830)

I think all schools use "Random" student id's but your ssn is still on a server somwhere for financial aid. Students at my school can use either their ssn or student id in most cases. At my school you can use either to log in for counsling appointments. Its a web based system and 9 times out of 10 ie is caching the data entered (for the autocomplete feature) You just hit down and theres a list of all the ssn's that have logged in since the last time they cleared the cache (usually the last time the computer got deep freezed). Oh the looks i get when i am standing in front a line full of people clearing the cache...

Re:One way to help protect... (1)

legoburner (702695) | more than 7 years ago | (#17207050)

When I was an international student at a US university, we were given university-issued SSNs before we got official temporary ones from the government. The university did not map between the two and we only had the non-official one associated with our accounts, which was basically an institution ID number, a student ID number and a lot of 'X' characters. There must be a provision at most universities to allow this already, so it would hopefully not be a huge leap to adjust their systems accordingly? As a non-US outsider, I am unsure as to why exactly they need a tax ID number to associate with your education anyway if anyone would care to share reasons. Most reasons I can think of (loans, payments, credit) would perhaps be better handled by the individual/third party rather than the institution anyway (and generally is how it is done here in the UK where it is unheard of to have to give your national insurance number (SSN equiv) for these sorts of things). Perhaps it is just because the UK SSN equiv. has letters and numbers so does not fit as efficiently into a database.

Re:One way to help protect... (1)

hahiss (696716) | more than 7 years ago | (#17207172)


I think, for the most part, you're right---if someone gets the right records (i.e. those that correlate SSN with ID#s), there's not much you can do.

However, having non-SSN ID#s means that your SSN appears (or at least needs to appear) in fewer places in your records and on campus in general. The problem is that students use (or can at many places use) their IDs at the library, as a debit card, and the like, and having ID=SSN means having that information out there in a LOT of places.

To take one example people (faculty and students) don't often think of: class rosters. All of the class rosters I've used as a professor have had student ID#s on them. Me? I'm pretty careful about security, so I try to shred any document that has this sort of information on it. But many of my colleagues don't---they'll just drop the sheets in the trash or recycling bin. If the IDs on there are SSNs, it wouldn't take much 1337 h4x0ring skills to grab the roster from the bin. Granted, you can't get 800,000 this way very quickly, and you can of course wreak havoc with student ID numbers, but having student ID numbers other than SSNs does shrink this security hole some.

Re:One way to help protect... (0)

Anonymous Coward | more than 7 years ago | (#17207274)

Except that would just mean that when the hackers get their spreadsheet full of information on 800,000 people, they just have to remember to look to the "SSN" column instead of the "Student ID" column to get the information they want.

What you're saying is true, but switching to a non ssn id is still effective because it vastly reduces the number of people with access to ssns. For example, at a certain Big 10 school, class rosters are distributed to professors and teaching assistance with ssns on them because ssns are still our primary id. Likewise, while we have table based security on our data warehouse and while it is used, everyone who does any reporting against it (and by proxy anyone they do reporting for) has access to everyone's ssns because ssn is in every table. This includes some pretty random office people and occassionally other students. Our keycard system also somehow involves ssns. In an environment where the id is an ssn, you end up with excel files with ssns flying around email, print offs sitting in hallway printers, etc. There's basically no controlling it.

Many of us in IT at OSU have been screaming at the central powers that be to get us off of ssns for at least a decade. Things are slowly moving forward. The irony is that, when a public breach occurs, it's probably going to be IT that is blamed.

Re:One way to help protect... (1)

Chanc_Gorkon (94133) | more than 7 years ago | (#17207686)

So that Big Ten school is OSU....ha ha.

Re:One way to help protect... (1)

Chanc_Gorkon (94133) | more than 7 years ago | (#17207508)

SSN's required for Financial Aid and I think Selective Service registration proof is done the same way. Since school is so damn expensive, almost everyoen needs financial aid unless your Bill Gates or at the very least a millionare.

Re:One way to help protect... (1)

another_fanboy (987962) | more than 7 years ago | (#17206988)

random number as my student ID rather than my social security number
Many schools now are using ids rather than social security numbers. They are not random, but sequential in order of admittance to the school. As I recall, I had to use my social security number only once, and that was as validation for my student id.

Re:One way to help protect... (1)

i.r.id10t (595143) | more than 7 years ago | (#17207010)

I remember hearing that the soc. security number is(was? pre 9/11) only required for social security and tax purposes.

From the beginning actually. Cards say on 'em "Not to be used for ID" or something like that. However, it has always been a "mostly" unique number, so someone somewhere decided to start using it as a unique identifier in their database (or rolodex at that point most likely) and its just gotten worse since...

Re:One way to help protect... (1)

hitchhikerjim (152744) | more than 7 years ago | (#17209810)

When I was at UCLA in the '80s, they had already long since stopped using the SSN as any sort of student ID number. It was already understood that exposing the SSN had the potential for fraud.

I suspect this database was a finantial one of some sort... one where they actually needed the SSN for its real purpose -- reporting earnings and such to the IRS and the Social Security Administration.

Now why they still retain that information for people who've been out of the system for years is beyond me. That'll probably get them in trouble.

But I've still got a beef with the credit agencies... they should not be using such a freely available number (historically) as the primary password for using someone's credit. 2-factor authentication (something remembered plus something physical) has been possible for far too long for us to ignore it. If they just shifted to SSN plus fingerprint it'd be enough. Or go a step further... SSN plus fingerprint plus photo. Make it illegal to retain the fingerprint beyond initial identification to the credit checking institution, and provide fingerprint readers that protect it just that way.

What was the hack? (1)

PhrostyMcByte (589271) | more than 7 years ago | (#17206864)

TFA doesn't mention what the "hack" was. My guess, the software (probably a website) is more of a hack than anything that was done to access the data.

It's scary how much information is being reported as leaked every couple months.

Re:What was the hack? (1)

SNR monkey (1021747) | more than 7 years ago | (#17207134)

Actually, I think the scary thing is how much information is NOT reported as 'leaked'. As much as it sucks for those 800,000 people, at least they know that there is a good chance their data was compromised. For the rest of us, we have to hope that companies will keep it secure or tell us if it is compromised. You don't have to be wearing a tinfoil hat to worry about the security of your data. Maybe people should be operating under their assumption that their data IS compromised. There are free credit reports for a reason.

Re:What was the hack? (0)

Anonymous Coward | more than 7 years ago | (#17208922)

What is really scary is not the incidents you hear about, it's all the ones that happened that never get reported that you never hear anything about.

Santa Claus says "security? ho ho ho!" (5, Insightful)

Toby The Economist (811138) | more than 7 years ago | (#17206880)

Security is hard to get right because you have to get *everything* right.

Make one mistake and you've got no security.

As such, it is problematic to have vast databases of highly valuable information protected by "security".

The result will be a constant flow of database violations.

Unfortunately, by and large, the a database provides a large and ongoing bureaucratic benefit to an organisation, whereas the pain of data loss is primarily born by the people described by the database.

The only response we have as individuals is to keep our details as secret as possible.

It's difficult because it is "virtual". (1)

khasim (1285) | more than 7 years ago | (#17207198)

Security is hard to get right because you have to get *everything* right.

Sort of. The problem with getting everything right is that you're dealing with non-physical concepts. If people were dealing with a physical structure it would be easier for them to understand and get it "right". Or at least closer to "right" than we currently see.

For example, important physical records are kept in a safe. The safe is in someone's office. The office is locked. If someone sees someone else going through the safe, most of the time they'll recognize whether that person should or should not be in that office, going through that safe.

But when we're talking about virtual systems, very few people can see who is accessing the data. Or what data is being accessed. And many will not even know what data is kept where. Or care (before the crack succeeds) about whether anyone would be interested in it.

The focus is not on security. It is on automation and work-force reduction. Letting the machines have access to EVERYTHING so that the machines can run the processes and send the results to other machines.

The only response we have as individuals is to keep our details as secret as possible.

That's not going to work. It's too brittle. Once any of the sites with your data are compromised, your data is compromised.

Eventually, the criminals are going to wake up and really discover the power of the "database".

Imagine organized crime with a database on you similar to what the major credit tracking sites have. And it is almost as easy for them to collect it. "Identity theft" will take on a whole new dimension.

For the average person to understand it, virtual security needs to appear more like physical security.

Re:It's difficult because it is "virtual". (1)

Beryllium Sphere(tm) (193358) | more than 7 years ago | (#17209202)

>Imagine organized crime with a database on you similar to what the major credit tracking sites have.

It would be easy for them. How much does a "market research" firm cost to buy outright? How much money could a big crime syndicate muster?

Reminds me of Bruce Schneier talking to Verisign about how much it woulc cost an attacker to compromise their ultimate root certificate. If all else failed, they figured that a $15 million down payment would swig a leveraged buyout of Verisign.

Far, far less. (1)

khasim (1285) | more than 7 years ago | (#17210220)

If all else failed, they figured that a $15 million down payment would swig a leveraged buyout of Verisign.
...and...

It would be easy for them. How much does a "market research" firm cost to buy outright? How much money could a big crime syndicate muster?

Why spend that much money on something you can get for a few thousand in gambling debt or drugs?

You don't have to own the company if you can pwn an employee with the right kind of access.

And the payoff would be millions of times greater than that "investment".

And it wouldn't even have to be a single employee at a single company. Just build the databases based on the SSN's and cross-reference/add whatever you can get from other employees at other companies. Pretty soon you'll have enough specifics on individuals to start checking their credit ratings and taking out loans/cards in their names.

And the "best" part is that no single person would be committing the really "bad" crime. What's the sentence for downloading 800,000 names and SSN's such as in the story? I don't know. But it certainly would not be in the range I'd want for the financial damages those people would be facing.

We're seeing organized crime in the spam zombie business now. Because it is lucrative. Identity theft is a million times more lucrative.

Re:Santa Claus says "security? ho ho ho!" (2, Insightful)

canuck57 (662392) | more than 7 years ago | (#17207232)

Security is hard to get right because you have to get *everything* right.

You are assuming rational due diligence was in fact even attempted. These are institutions run by politicians.

Make one mistake and you've got no security.

Not if you have really done your homework. You NEVER rely on one system. When the second system catches a violation, you promptly deal with it.

One has to ask, why did it take so long to notice? Think about all the others that are not even watching?

Computer security is all about priorities, it isn't even technical. It is social/political.

Assume your SSN is public knowledge. The root cause of this issue is those that use SSN numbers f''k peoples lives up after they didn't verify it was being used correctly in the first place. The fundamental problem he is financial institutions are not making sure they deal with the correct person before handing over money.

Want to solve identity theft? Simple, put 100% of the onus on those that use it to make sure they are dealing with the right person when they use it. Make it a criminal offense with hefty fines and penalties for non-compliance. Make it cost ineffective for big credit to mess up. Because in reality, identity theft is a credit company issue. After a few dozen $10 million dollar settlements for incorrectly assigned $1000 collections the credit agencies will get the message.

Re:Santa Claus says "security? ho ho ho!" (1)

Phishcast (673016) | more than 7 years ago | (#17207678)

Security is hard to get right because you have to get *everything* right. Make one mistake and you've got no security.

I don't agree. Isn't one of the basic principles of security to use multiple layers? Firewall, IDS, TCP wrappers, strong passwords, etc. Insert various other security methods anywhere in the chain and you can be well defended. If I make a mistake in my firewall config, I should still be reasonably sure that I won't be totally compromised.

Re:Santa Claus says "security? ho ho ho!" (0)

Anonymous Coward | more than 7 years ago | (#17207966)

Agreed. According to the article, the school's CIO said "the trespasser used a program designed to exploit an undetected software flaw to bypass all security measures" (Quoting the article, not the CIO.)

There is no single software flaw than can bypass properly layered secured measures. The guy is flat-out admitting security incompetence, and he's probably too incompetent to even realize it.

Re:Santa Claus says "security? ho ho ho!" (1)

Beryllium Sphere(tm) (193358) | more than 7 years ago | (#17209094)

>Security is hard to get right because you have to get *everything* right.

>Make one mistake and you've got no security.

We're used to thinking that because good security design is so rare. Imagine if all ships and boats were guaranteed to sink the instant a hole opened in the hull. Good design contains failures. Maybe, just maybe, UCLA's database had a view that left out the SSNs and that almost all users were required to use. Anyone seriously think they did it that way? Not to mention how long it took to notice the breach.

Good Target (2, Interesting)

GreggBz (777373) | more than 7 years ago | (#17206954)

I imagine a University is the type of organization that kind of flies under the radar. Banks, hospitals, credit card companies, these are obvious repositories of personal information. UCLA, not so much. Factor that in with a large, old, complex computer network with volumes of historical data (Those of you that graduated 20 years ago can probably still get your transcript) and you are bound to have quite a bit of low hanging fruit.

Re:Good Target (1)

Chanc_Gorkon (94133) | more than 7 years ago | (#17207266)

Actually, universities have tons of data. Remember how you paid for school right? Financial Aid, Stafford Loans and more and you probably went right through the school to get it thanks to the grade requirements and more. Universities are famous for having alot of things on file and tons of unskilled labor who don't know any better (students and more).

It's time to make the SSN database public (5, Interesting)

MightyYar (622222) | more than 7 years ago | (#17206974)

If the SSN database were public, the SSN would cease to become such a valuable target for identity thieves - systems would have to be changed to account for the public nature of the information. The SSN is fine as a unique identifier, but it should never have become a security tool.

Re:It's time to make the SSN database public (4, Insightful)

Chanc_Gorkon (94133) | more than 7 years ago | (#17207086)

The SSN was never to be used as a identifier. PERIOD. It was only to be used for the Social Security System. It was banks and credit bureaus who made the SSN a identifier. The issue that the banks and credit bureaus confronted so many years ago was that they needed a unique way of identifying you for purposes of granting credit. The SSN was the only option as it was desgined from the get go to give you a unique number. Even now though, older SSN's are being reissued as people die off. The problem now is that the number is shown being used by a dead person.

Unfortunately, there's no easy answer. SSN's already in use as an id and until something else better comes along, we have to use it. So what should we in IT do? First, reduce easy access to the number. When designing systems, issue a id that is unique and ONLY works with your system. If you need a way of identifying people in the real world, file the SSN and then reduce access to it. Only let the people who need that number have access to it. In the case of colleges, only financial aid and possibly select people records and registration need to see it. Everyone else MUST use the institution specific id.

The big issue for some higher ed systems is that they used some unsecure methods for far too long. One system in particular up until about 2-3 years ago was using telnet in their client! It was not even SSL'd!

Re:It's time to make the SSN database public (1)

Cro Magnon (467622) | more than 7 years ago | (#17207176)

IMHO, the big problem is that the SSN is not only treated as an ID, but also as a PASSWORD!!! It would be like me using "Cro Magnon" as my password, and wondering how my /. account got hacked! *runs off to change password*

Re:It's time to make the SSN database public (1)

jimstapleton (999106) | more than 7 years ago | (#17207416)

Personally, I wouldn't mind seeing fingerprints, DNA or Retina Scan based systems.

Re:It's time to make the SSN database public (2, Informative)

swillden (191260) | more than 7 years ago | (#17208814)

Personally, I wouldn't mind seeing fingerprints, DNA or Retina Scan based systems.

If you think getting your compromised social security number changed is hard, you should see what it takes to change your retinas. Or DNA...

Biometrics are useful security tools, but you have to keep in mind that they are only passwords. They're convenient passwords, in that you can't forget them (though you *can* lose them!), and they're fairly high-entropy passwords as well, making them hard to guess. However, they're unchangeable passwords, and you leave copies of your fingerprints and DNA pretty well everywhere you go.

Because of all of these problems, biometrics should only be used in two scenarios:

  • Low-security situations where convenience is at a premium. While biometric scanners can be fooled, it's not trivial to fool them, so if the value of whatever is protected by the security isn't very high, then biometrics are adequate from a security perspective, and have great convenience characteristics. They're especially useful in circumstances where the most likely alternative is no security at all. Note that there are some gradations within this category, based on whether the biometric is being used for identification, authentication, or both. If both, then either the population had better be very small, or the security requirement very, very weak, because the birthday problem [wikipedia.org] is going to be a major issue.
  • Very high security situations where the scanning station is attended by a trained, watchful guard tasked with assuring that scans are done properly and/or multiple authentication factors are used, such as a password, smart card or other physical token *and* a biometric scan (or two!).

The sort of high-volume, medium-security authentication required for most financial transactions is not a good application for biometrics. Granted that biometrics would increase the security if added to the current set of varied and generally weak mechanisms used, but if biometric authentication were actually deployed, it would almost certainly be used to *replace* the current mechanisms, not augment them. That wouldn't help and would probably hurt. Further, the application of biometrics would delay the application of better security, raise lots of privacy concerns, etc. It's not a good idea, sorry.

Re:It's time to make the SSN database public (2, Informative)

Politburo (640618) | more than 7 years ago | (#17207718)

Even now though, older SSN's are being reissued as people die off.

Myth. SSA site [ssa.gov] (link may not work due to silly session cookies)

We do not reassign a Social Security number (SSN) after the number holder's death. Even though we have issued over 420 million SSNs so far, and we assign about 5 and one-half million new numbers a year, the current numbering system will provide us with enough new numbers for several generations into the future with no changes in the numbering system.

Re:It's time to make the SSN database public (1)

Chanc_Gorkon (94133) | more than 7 years ago | (#17209852)

Do you believe them?? I don't. Yes there's the death index but this only counts IF the family accepts the death benefit from the SSA. Plus most credit agencies do NOT and probably cannot do a back check with the SSA to make sure that your name is attached with your number. Therefore, anyone can use your number with a different name and be able to establish an identity. Also, as the populous grows, they will run out of numbers at some point. The running out of number thing happened in most areas with phone numbers. This is why I now have to dial an area code even for local calls and why some areas have more then one area code. And this is with 7 digits...10 counting area codes.

Re:It's time to make the SSN database public (2, Interesting)

Vreejack (68778) | more than 7 years ago | (#17209140)

The military has used SSN's as a service number almost from the outset, and we actually used to use ours in our mailing addresses. It made delivering mail to highly mobile service members a lot easier. This practice was discouraged in the late 1980's, but as late as the late 1990's the list of US military officers and their SSN's was annually published by congress.

Although the original legislation for SSN's states that it is not meant to be a sort of national identification number, this seems mainly aimed at evangelical Christians who identified such a thing with some passages from the Revelation of John. It wasn't until the communist and fascist regimes of Stalin and Hitler demonstrated the possibility of total control that secular fears of Big Brother began to surface.

The reality of the SSN is that--being as it is a guaranteed unique name--it is extremely useful as an ID. But using it as a password is absolutely asinine. The sad truth is that criminals are more likely to know a victim's social security number than the victim is.

Re:It's time to make the SSN database public (0, Troll)

Chanc_Gorkon (94133) | more than 7 years ago | (#17209408)

Only some Evangelical's believe this. Some believe in the literal sense of the bible. The mark is the number 666 on the forehead....not SSN's or Credit Card numbers or anything else. The LITERAL meaning. Anything else, to me, is a misinterpretation of the scripture.

Re:It's time to make the SSN database public (1)

Cro Magnon (467622) | more than 7 years ago | (#17207102)

"It's time to make the SSN database public"

I thought it already was!

Students? (3, Funny)

Lord_Dweomer (648696) | more than 7 years ago | (#17206978)

What sort of options do the students have at this point? Is the school in any way liable? Or is this just going to be one of those instances where they say "oops, we were hacked, so sorry but nothing we can do" and leave the students screwed (once again)?

All I know is that the school better not be heavily promoting its computer security courses.

Re:Students? (0)

Anonymous Coward | more than 7 years ago | (#17207684)

Since it sounds like student data, and not any financial info, they may have no liability. FERPA, the federal law that addresses privacy of student records, gives the Department of Education the ability to withhold funds from a school, but doesn't say that students have standing to sue the institution over a violation. The case went to the US Supreme Court - Gonzaga University v. John Doe, June 27, 2002

Re:Students? (2, Interesting)

LouisJBouchard (316266) | more than 7 years ago | (#17210170)

No one has the right to sue unless an actual crime against the student took place. My SSN was possible stolen from a new employee state database recently (used to determine if someone owes child support they are skipping out on) and the attitude was that since the information was not used yet, we were on our own to protect ourselves. The police even refused to take a report because as far as they were concerned, the only victim was the state agency (never mind the cost and effort I had to go through to protect my current accounts and verify that someone has/is not using my information to commit a crime).

I think that once places that hold information are held responsible (even if it is to pay for credit monitoring for 2 years for anyone whose information could have been stolen), then we will see a real concern about security. Right now, all anyone has to pay for is postage to notify a person and time to investigate. In this case for example, if UCLA had to pay for credit monitoring for 800,000 people for 2 years (at about $100/year/person), I am sure $160,000,000 would force them to make sure this does not happen again. Otherwise, we will hear more stories of this type.
 

IT budget for next year... (1)

theworldisflat (1033868) | more than 7 years ago | (#17206980)

They should really think about a better firewall for their Gibson.

The scary thing.. (2, Interesting)

bigattichouse (527527) | more than 7 years ago | (#17207002)

Isn't what people get out of such a breach, but what can be PUT IN.
ohh.. look at Johnny's sparkly new Ph.d. or M.D.

UNIVERSITY DIPLOMAS!!! (0)

Anonymous Coward | more than 7 years ago | (#17209008)

Obtain a prosperous future, money earning power, and the admiration of all. Diplomas from a prestigious California university based on your present knowledge and life experience. No required tests, classes, books, or interviews. Bachelors, masters, MBA, and doctorate (PhD) diplomas available in the field of your choice. No one is turned down. Confidentiality assured.
Just go to http://spammers-r-us.com/ucla.html [spammers-r-us.com] :)

imdemnification against data breach .. (1)

rs232 (849320) | more than 7 years ago | (#17207018)

What imdemnification did the software developers provide in the event of such an occurance.

at first glance (2, Funny)

clamantis (708173) | more than 7 years ago | (#17207024)

At first glance, I thought the headline read ACLU. Now that would have stirred up a hornets' nest!

As an alumnus... (2, Funny)

Otter (3800) | more than 7 years ago | (#17207062)

...I'm willing to cut them a lot of slack since the USC game. So let's call this one a wash. Go Bruins!

Re:As an alumnus... (1)

flipmack (886723) | more than 7 years ago | (#17207464)

I'm sure the hack was funded and/or initiated by Pete Carroll.

in other news...I'm an alumnus too...lifetime member of the Alumni Association...and let me tell you, the UCLA pop3 server is always hacked...considering how much spam I get forwarded to my *@uclalumni.net account!

IMPOSIBLE (0)

Anonymous Coward | more than 7 years ago | (#17207080)

This was a Linux server running Apache. So hacking it is IMPOSIBLE!!!!!

This says it all (0)

Anonymous Coward | more than 7 years ago | (#17207108)

http://uptime.netcraft.com/up/graph?site=www.ident ityalert.ucla.edu [netcraft.com]
Windows Server 2003 Microsoft-IIS/6.0 12-Dec-2006 164.67.134.79 University of California, Los Angeles

99 % of all CC thefts on the web involve Windows and IIS, and yet windows they occupy less than 1/3 of the http AND https space. Amazing that so many look over this simple stat. It seems that only the cracker and Al Qaeda are the only ones taking notice of that.

Telling quote... (1, Insightful)

Anonymous Coward | more than 7 years ago | (#17207114)

Jim Davis, UCLA's chief information officer, said a computer trespasser used a program designed to exploit an undetected software flaw to bypass all security measures and gain access to the restricted database that contains information on about 800,000 current and former students, faculty and staff, as well as some student applicants and parents of students or applicants who applied for financial aid.

So, a single software flaw got them past "all security measures." Sounds like some heads need to roll, starting with Jim Davis'.

Re:Telling quote... (0)

Anonymous Coward | more than 7 years ago | (#17208918)

I cannot speak for this particular exploit, but 'a single software flaw got them past "all security measures"' is exactly what I would expect from a security-in-depth architecture.

According to the news report, there were unauthorized database queries.
Things we don't know:
    - How accurate was this report? (Never trust the media to get everything right.)
    - Was this compromise from a remote system, or a local user?
        An attack that starts in October certainly sounds plausible for an insider.
        School starts in September, and one month to find data worth exploiting.
    - The report said that only a few SSNs were compromised, but that they were informing everone.
        How many were known to be exploited?
        If it was a direct DB access, then I would have expected ALL to be compromised.

since, from (3, Interesting)

minus_273 (174041) | more than 7 years ago | (#17207292)

"The data may have been available to hackers since October 2005 until November 21, 2006,"

Am I the only one who cringes when he reads this sentence.

Better off? (1)

FibreOptix (1028122) | more than 7 years ago | (#17207354)

If the SSN's are now being flagged as compromised and watched for suspicious activity, perhaps the owners are better protected against fraud than they would have been otherwise.

lucky me (1)

purplelocust (944662) | more than 7 years ago | (#17207362)

I seem to be a magnet for large-scale computer identity data leakage. I'm not sure my overall percentage, but I managed to be in a big New York Times subscriber theft a few years ago, the American Express Financial Advisors theft last year, a T-Mobile one, and as a UCLA alum I get this one also. It seemed like everyone who has my name is volunteering it to intruders, and until I looked at this very long list of data loss incidents [attrition.org] I was thinking it might just be me. At least I missed out on the big Veteran's Affairs ones by not being a veteran... Nothing bad has come of it as far as I can tell but who knows what the future holds?

Re:lucky me (1)

juggledean (792527) | more than 7 years ago | (#17207980)


who knows what the future holds?

Extrapolating from the data in the link above there will be many more incidents in the future, perhaps 600 next year.

Re:lucky me (1)

Wanado (908085) | more than 7 years ago | (#17208278)

Nothing bad has come of it as far as I can tell
Your SSN is probably already being used by an entire family of illegal aliens to get work and have accounts. Credit Bureaus, banks, credit card companies, employers, even the IRS aren't obligated to tell you when someone else is using your SSN without your permission. Investigations have found that some SSN's are used by up to 30 people. This stuff doesn't show up on your credit report. Some day you'll get some collections agency looking for money you owe.

Want to avoid it in the future? (0)

Anonymous Coward | more than 7 years ago | (#17208320)

Check the sites and see if they are running Windows (use netcraft). If so, then you are at risk. Then check their server. If it is IIS, avoid at ALL costs. The problem is that Windows indicates that security is NOT job 1. IIS guarentees that this shop will run MS at all costs. It is like driving a pinto on a track of a million drunk drivers, each having a lit flare. Keep in mind, that Windows is involved in nearly 100% of all online CC thefts. First off, Windows is about 96% of the servers that get cracked even though they run on less than 25% of the https space. And then for the none windows that have been cracked, generally, they involve a stolen CC from from a windows box. The last known incident that did not involve Windows was probably the playboy theft in 1999 which involved a Solaris system not being updated. That is a good record for *nix.

Sadly, 6 years ago, all the data was released about who got cracked and how. Once Bush came in, he shut that down in the first month. This is not about 9/11, but about paybacks. Hopefully the next pres. is not attached to Gates zipper and we can get info. Sadly, I think about the only way that will happen is if if is Gates himself.

And then... (1)

danpsmith (922127) | more than 7 years ago | (#17207364)

...corporate types wonder why there are so many lawsuits. To effectively drop the ball on the security of almost a million students and then what you get as far as service is a letter saying "oops," it makes me glad that Bush couldn't get his "frivolous lawsuit" legislation through.

Maybe when companies/organizations trusted with information that leak it start getting sued by the people they are "protecting."

At my school they used the last 4 numbers of your social security number as part of your email. Organizations need to pay the price for being so lax on the security of their clients.

suits over this would not be categorized (1)

Shivetya (243324) | more than 7 years ago | (#17207570)

as frivolous. Most frivolous lawsuits are created without the intent to win but instead to settle.

This incident is negilgent, possibly bordering unto criminal if they can figure out if some people knew about it earlier. Seeing that their a school I wonder what their liability is? I didn't check but is UCLA still considered a government entity? If so they may be already protected by law. Lots of laws that come along that punish businesses purposely exclude government agencies from the very same.

what worries me is... (1)

jimstapleton (999106) | more than 7 years ago | (#17207366)

what if they took the people who's information they obtained, and then dropped it from the server.

For eaxmple - they only went after applicants, collected the information, and dropped it from the server. There would be no existing student/faculty to wonder why there data was missing, and on top of that, if they did it at the right time, there might not even be a backup to verify it was ever there. Thus, the victim gets no warning whatsoever, and the thief gets an even longer time to escape.

I hope the investigators are considering /that/.

They call this a "data Valdez." (1)

MoNickels (1700) | more than 7 years ago | (#17207410)

Definition of data Valdez [doubletongued.org] , via a self-link.

Maybe actual fraud will end up fixing this? (2, Interesting)

King_TJ (85913) | more than 7 years ago | (#17207606)

Despite all of these large, high-profile security breaches of late, you don't hear a whole lot about people who actually became victims of fraud right afterwards. I'm sure it's happening, but it seems to be in the "best interest" of practically everyone EXCEPT the consumers owning the info to sweep it under the rug. (EG. "No problem sir! Just mail back the form we send you, detailing all the charges you didn't actually make on your VISA, and we'll take care of it. A new card is on its way out to you right away.")

You'd think that at some point, just about everyone in the U.S. will need to put "fraud alerts" on their credit profiles!

As bad as it sounds, I think it's going to take real financial losses of an almost unmanageable sort for the lenders and credit agencies to say "Enough!" and find new ways to protect consumer info.

Re:Maybe actual fraud will end up fixing this? (0)

Anonymous Coward | more than 7 years ago | (#17209410)

Let's look at a very typical identity theft scam: Someone gets your name, date of birth, and soc sec number. Then they make a fake id with your name and open a bank account using your SSN. Then they open a paypal account and start selling stolen merchandise on ebay.

Do the lenders and credit agencies have any liability for this? No.

Here in the UK... (0)

Anonymous Coward | more than 7 years ago | (#17207616)

I obtained the ages, names, addresses, potential employment profiles and many other details of many secondary school children from my local area. Sounds bad???

Walking along the street through the city one morning I passed a rubbish collection truck which had stopped to pick up a box at the side of the road. I approached the rubbish disposal tech and asked if I could procure the box to recycle it for home use. The RDT told me I would have to speak to the people in the office it came from. At that moment the manager person arrived at the offices external street door, I asked and was told I could take it in front of the RDT. Happy to have a new box for nothing I took it home and plugged it in with much anticipation in hope that it would boot far enough that I may use one of my own HDDs with it. It booted alright, straight into it's own o/s then sat there waiting for me to use it, windows! I carefully checked the file system until I found many large files of a database type which I opned with some type of progy that could veiw them. Inside was all this data about kids, serious data. I then got a witness to watch me going through the same method of opening and reading the data, then powered down the box and took the hdd out then smashed it to bits on some concrete outside, completely. Everything was witnessed.

It realy is surprising HOW data about your children CAN get into the wrong hands, the management person concerned was running the local carears office for all the school kids in the local area and would probiblly have known little about how the data on thier network was physicaly stored. The box was outside due to the network getting upgraded, probibly to cope with the size of data files on each pc. Why they were not using a thin client based system is beyond my understanding except to imagine that they had been sold bad technology.

At that time, which was a good few years ago, the pc would have probibly ended up in the local landfill. The landfill in question was walked daily by "beachcombers" looking for a penny or anything that might keep them warm etc.

Another serious security loophole created by beurocratic failings.

Pathetic. This was also "my" local carrears office when I was at school.

I could go on but I have better things to do.

Call me the devil but... (1)

hesaigo999ca (786966) | more than 7 years ago | (#17207910)

I think that a better security system would be to have one repository for such information something that is associated by a third party answering to the government as we know the government itself is never capable of establishing ground breaking development, always comes from outsourced work. Once this repository is created, then we could implement a security feature that anyone needing such information would have access to that persons associated record number, if they pass clearance, then based on the level of permission that the owner of that info (the person who has his records in the repository )gave that company....they have a limited access of info. The higher the permission , the more info, this could be tied into the hospitals, credit bureaus, banks etc...and also the government would have the highest access without need for permission of course...this would also stop such things as passed information for telemarketing, they cant get your info based on no clearance, someone giving them your record number would not give them their own access number so that would nip the telemaketing and such in the bud!

How safe IS my SSN? (0)

Anonymous Coward | more than 7 years ago | (#17208134)

I know it is a little offtopic, but I often hear this folk wisdom that "oh your SSN is completely public anyways." How easy is it to find a SSN? What does one need to know beforehand to get it?

Someone should be tasered (0)

Anonymous Coward | more than 7 years ago | (#17208896)

Or at least fired. But neither will happen.

Security as a afterthought (1)

certain death (947081) | more than 7 years ago | (#17208966)

It always seems that it takes this type of break in, or some large DDoS to get Network/systems engs. to take security to heart. I do security for a living, and on a daily basis, I see people at ALL levels in companies blow it off as just too much of a hassle. Okay, Grated, it for sure can be a hassle at times, but would you rather have loss of information, broken systems, etc or a little inconvenience?!?!?

pwned (tagging beta) (3, Funny)

Dan Slotman (974474) | more than 7 years ago | (#17209654)

pwned (tagging beta)
This represents everything wrong with slashdot. On the other hand, I'm still here...

SS N (0)

Anonymous Coward | more than 7 years ago | (#17210528)

I went to a state university that had 4 last digits of person's social security number as part of their (mandatory) e-mail address...
ALSO, students' grades were posted after every test on a 8.5"x11" paper outside of classroom.
To "protect" poor students from embarassment, students' social security numbers were used (except the last four digits) instead of names.
I am not a genius and definitely wasn't one when I was 18 but somehow I was able to put those two together :)
(everyone had a shell account and you could "finger" users to get their first name, mi and last name)
I haven't heard of any incidents but I am sure this security issue bit them in the ass.

Incompetent Academics (2, Funny)

toddhisattva (127032) | more than 7 years ago | (#17210576)

Incompetent Academics
Always Blaming Hackers
To Cover Their Asses!

For gov't use only (1)

berapp (914278) | more than 7 years ago | (#17210594)

What happened to the days when your SSN for for government use only. I wasn't around when the SSN was first used, but I heard that is was sold the the American people as a number that only the government would be able to use. In fact, I've been told that it was illegal for non-government agencies to use it at all, or even request it. What happened to those laws? If this is such an important number, why is it so easy to get from someone? I know I've placed mine on many forms I've filled out. Forms for employment, to see doctors, to get car insurance, etc. I can understand needing it to track people's past for credit and such, but why use it as their customer number? Why not just keep it on file, securely, separate from the day to day data. Instead these companies and schools use it as THE number to identify customers and students. Why not just number these people with their own scheme? They don't need the SSN for everyday transactions, so the SSN shouldn't be in everyday data, like on my bill or with my alumni data. So I went to school at UCLA (actually I didn't, I'm role playing), to contact me for that next Alumni meeting you do NOT need my SSN.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?