Former SSU students Social Security numbers exposed

<p>About 600 former Sonoma State University computer science students have had their Social Security numbers exposed to the public through an internal department Web server.</p><p>Though acknowledging the risk of identification theft, university officials said they were not aware of any criminal or inappropriate activity linked to the slip-up, which was discovered Sept. 2.</p><p>“This was just, I think, a freak accident of a relatively small proportion,” said SSU Chief Information Officer Sam Scalise.</p><p>But officials “don’t take it lightly,” and were taking every measure to alert students and ensure it doesn’t happen again, he said.</p><p>A former student accessed the roster of names and Social Security numbers through a networking site opened about six months earlier for people previously enrolled in computer science classes, SSU spokeswoman Susan Kashak said.</p><p>The Web site was closed to anyone but certain students, and the roster, though stored on the department server, was not directly linked to the site, university officials said.</p><p>The student apparently found the data using a Web crawler to search for odds and ends, they said.</p><p>“Somehow that data inadvertently got accessible from the Web page,” Scalise said. “There were no links to it so you would ‘Click here to a list of alums’ or anything like that.“</p><p>There were no indications anyone else saw the list or accessed the data for ulterior purposes, Scalise said.</p><p>It was expunged as soon as the student who found it brought to officials’ attention, he said.</p><p>The file contained only names and Social Security numbers, so no other personal, confidential information was compromised, officials said.</p><p>Affected students have nonetheless been advised to check their credit reports to make sure their information is not being used.</p><p>The security breach pales compared with a 2005 episode in which hackers gained access to seven campus workstations, exposing the names and Social Security numbers of 61,709 people who had applied to, attended or graduated from SSU from 1995 to 2002, the university said.</p><p>Faculty data from 1999 to 2005 also was compromised in the hacking incident, though it did not appear any of the personal information was accessed or abused, university officials said.</p><p>Scalise said the Social Security numbers at issue this fall were improperly stored on a department server outside the management of SSU’s central information technology system and kept against university policy.</p><p>Current rules prevent anyone on campus from having computer files with Social Security numbers absent specific permission, he said.</p><p>They used to be used to identify students before student identification numbers came into use, however.</p><p>“It’s possible the file was a remnant of that,” Scalise said. “I don’t know why they had it. They did not have permission to have it.”</p><p>A recent assessment of SSU’s information systems called for improved oversight of the independently managed computers and servers such as that containing the compromised data, he said.</p><p>But the assessment praised systems under centralized management, said Scalise, who chairs the California State University Systems Technology Alliance.</p><p>“At SSU we’re either the leader or among the leaders that have taken action to prevent any kind of access to our central system,” Scalise said, “and we’ve met with all the departments and told them you can’t keep certain types of information and asked each of the VP’s (vice presidents) to validate that they know that and aren’t doing that.”</p>