For a couple of years now, I’ve been horrified along with many people at the amount of personal information that companies are treating so carelessly and losing in such creative ways. What are all these people’s data doing on a laptop outside of the office, anyway?

Today it became personal. I have occassionally taken classes at the University of Alaska, Fairbanks (UAF). A couple of weeks ago the university revealed that “The University of Alaska recently discovered that computer intruders had breached a server on the Kuskokwim Campus in Bethel.” (See the full report here. The FAQ is particularly entertaining, in a deeply disturbing way.) There was a file on the server for people who have had a computer account since 1995. When I heard about it I was confident that my information couldn’t possibly have been exposed, since I’ve never attended classes at the Bethel campus.

How wrong I was. I’ve received a letter telling me that my information was exposed, and suggesting that I put fraud alerts on my credit reports at the three big credit reporting agencies.

There are many disturbing things about this.

  • The file with all this personal information of students was sitting on a server as some kind of kludge shortcut to support authentication.
  • The last time I took a class at UAF was about three years ago, and I haven’t had a UAF email address since the late 90s. So why was my information in the file?
  • I’ve never attended the Bethel campus, which is a few hundred miles southwest of Fairbanks. Why was my information on a server that I’d never access? Blindly stupid replication, I’d guess, putting convenience over security.
  • Thank heavens that my mailing address was current with them. What if I had moved and the forwarding order long since expired? Are they tracking down those people?
  • The letter says that “multiple intrusions occurred between February 2005 and January 2006.” Yikes. Good news is that they logged the information to detect intructions. The really bad news is that no one seems to look at it very often. I mean, almost a YEAR?
  • UAF uses Social Security numbers as student IDs, a very bad idea. (They are apparently phasing them out, however.) They have long had a procedure in place to create a non-SSN number if you request it, which I had. I was hoping that non-SSN was the number included in the file. Alas, even though the procedure was in place to protect my SSN, the university internally uses the SSN. (This was confirmed by Shannon—Shane?—at UAF’s IT department when I called.)

To its credit, UAF seems to be doing the right things in response to the incident. Even though Alaska isn’t one of the states with rigid privacy notification laws (why not, for heavens sake???), they notified the press and sent out the letter I received with reasonable information about what happened and what I should do. They claim to be taking steps to correct the situation, but I dearly hope that they take a serious look at all of their security practices.

And I want to sincerely thank the people of the State of California for electing state representatives and senators who passed the first privacy violation notification legislation! Even though that didn’t mandate UAF’s response, it made it the right thing to do.

Please everyone, all us developers and admins, treat this kind of information as precious. I realize that we are all overworked, but this is a high priority.

Source