Website breach in Sonoma State University exposes students Social Security numbers
A breach in Sonoma State University exposed about 600 former computer science students who have had their Social Security numbers on an internal department Web server. Though acknowledging the risk of identification theft, university officials said they were not aware of any criminal or inappropriate activity linked to the slip-up, which was discovered Sept. 2.
A former student accessed the roster of names and Social Security numbers through a networking site opened about six months earlier for people previously enrolled in computer science classes, SSU spokeswoman Susan Kashak said.
The Web site was closed to anyone but certain students, and the roster, though stored on the department server, was not directly linked to the site, university officials said.
The student apparently found the data using a Web crawler to search for odds and ends, they said. “Somehow that data inadvertently got accessible from the Web page,” officials said. “There were no links to it so you would ‘Click here to a list of alums’ or anything like that.“
There were no indications anyone else saw the list or accessed the data for ulterior purposes. It was expunged as soon as the student who found it brought to officials’ attention.
The file contained only names and Social Security numbers, so no other personal, confidential information was compromised, officials said. Affected students have nonetheless been advised to check their credit reports to make sure their information is not being used.
The security breach pales compared with a 2005 episode in which hackers gained access to seven campus workstations, exposing the names and Social Security numbers of 61,709 people who had applied to, attended or graduated from SSU from 1995 to 2002, the university said. Faculty data from 1999 to 2005 also was compromised in the hacking incident, though it did not appear any of the personal information was accessed or abused.
The Social Security numbers at issue this fall were improperly stored on a department server outside the management of SSU’s central information technology system and kept against university policy. Current rules prevent anyone on campus from having computer files with Social Security numbers absent specific permission. They used to be used to identify students before student identification numbers came into use, however.
A recent assessment of SSU’s information systems called for improved oversight of the independently managed computers and servers such as that containing the compromised data.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.