Social security breach on USU campus
The social security numbers of 16 Utah State University faculty and staff members were mistakenly made accessible on the Internet, leading to the discovery of thousands more, USU officials said.
Over the weekend of Oct. 1 and 2, a faculty member looked up his name using the Google Internet search engine, John DeVilbiss, executive director of public relations and marketing, said. The search yielded results of a university site that contained his social security number, he said.
The site also contained the personal information of 15 other faculty and staff. The faculty member first notified the police and then Webmaster Charles Thompson was contacted, DeVilbiss said.
“He [Charles] went right in and took immediate action,” DeVilbiss said.
Thompson said he immediately pulled the information off the server and began doing other searches. He said he also contacted Google who said they will shut down the sites but it will take a few weeks to do so completely.
Upon further investigation, 12 Excel spreadsheets were found on an open-access server. The spreadsheets contain more than 7,000 social security numbers of current and past faculty, staff and students, DeVilbiss said.
An additional 11 files were also found containing sensitive information, Thompson said.
After much testing and searching DeVilbiss said they haven’t found anything to lead them to believe that the spreadsheets were ever accessed on the Internet.
So far, nothing shows that the other 11 files were indexed by search engines. However, the files containing the personal information of the 16 USU faculty and staff were accessed, DeVilbiss said.
“There’s some real concerns about the fact that they were posted,” DeVilbiss said.
Credit reports are being run on the accessed social security numbers to insure that no identity theft or fraud has occurred, DeVibiss said.
So far no fraudulent activity has been noted, DeVilbiss said. Those affected by the social security breach have been notified and are being encouraged to continually check their credit report.
“If they haven’t had fraud at this point there’s a good chance they aren’t going to,” DeVilbiss said.
The files were not meant to be made accessible, DeVilbiss said. The files were placed on an open access university Web server and then automatically indexed by search engines.
Many people assume that such files will stay on campus and don’t understand how easily they can be indexed by search engines if placed in the wrong location, DeVilbiss said.
“Personnel who posted these files did not intend to give personal access,” DeVilbiss said.
Another part of the problem is the number of servers on campus, Thompson said. There are presently hundreds of servers on campus in the different colleges and departments.
This makes it very difficult to keep track of all information, Thompson said. Having fewer servers on campus and more centralized servers could help prevent this type of problem from happening again, DeVilbiss said.
The accessed files have been vulnerable since at least May, DeVilbiss said, while other files have been potentially vulnerable for a longer time. DeVilbiss gave the example of a driving course offered at USU about eight years ago. Students, faculty and staff in the course gave their names and social security numbers. The information was then put into a file and later on the web.
Checks are continuing to be made on all campus and Web servers to find any other potential problems and prevent this type of thing from happening again, DeVilbiss said.
DeVilbiss said he encourages anyone worried about their personal information being posted on the web to do three things. First, perform a search on the Internet of ones self to see what is out there. Second, talk to college deans about personal files. And third, go to the university’s new website, www.usu.edu/ssn, to learn more about how to prevent identity theft.
The site also provides information on free credit checks as well.
-hilaryi@cc.usu.edu