SSNs exposed to public
About 600 former Sonoma State University computer science students have had their Social Security numbers exposed to the public through an internal department Web server.
[...] A former student accessed the roster of names and Social Security numbers through a networking site opened about six months earlier for people previously enrolled in computer science classes, SSU spokeswoman Susan Kashak said.
The Web site was open only to certain students, and the roster, though stored on the department server, was not directly linked to the site, university officials said.
The student apparently found the data using a Web crawler to search for odds and ends, they said.
Neat. I wonder what the software was. I also wonder what the alumni site was.
This reminds me of a similar situation at SRJC when I found a list of about 200 SSNs (including my own) from an old version of their Timekeeper program, a custom VB app that students would log into so the school could track when they enter and leave the lab. The file was sitting in the open on the public networked filesystem. The school wouldn't do anything about it. The file finally disappeared along with a lot of other stuff (did you know they used to have Lemmings on the network?) when they moved from Netware to Samba.
Glad to see I'm not the only one who noticed that article! :) Unfortunately, the details seem rather vague, as it doesn't say whether it was a CS department server or an IT one that held the data (I'm thinking it was in IT, as they seem to have plenty of strange pet-project things going on over there...). Do we know the (as of the moment) nameless white-hat who brought this to someone's attention? If anything, I've become very annoyed at nearly everybody needing my SSN when employment/education are involved - it's a big mess to navigate the zoo of who is allowed to request your SSN by law.
I do understand why so many educational institutions used SSN's in their databases, as they do serve as pretty reliable primary keys. The question is, how do you create a meaningful key that would replace an SSN and still be meaningful? I mean, it's great if you have a student ID, but what if you loose that? Then again, if you've got enough other data, you can do a query to find the right data, so I suppose it's not really as much of a problem - just keep your database a little more flat that you'd hope. Yay, I think I answered my own question!