A year ago, a university that I never even applied to sent me a letter saying that my Social Security Number was among the data that was stolen in a hack. (They offered a year of free "monitoring" and yes, I checked to see that it was a real event and not a phishing attempt.)
Apparently a decade ago when I took the ACT, I gave the testing company my SSN. I listed this university as one to send my scores to for free. Apparently the ACT company not only gave them my scores but my SSN as well. On top of that, the university held on to my SSN for years after it was clear that I was never going to apply there.
Of course now as an adult, I know better not to give out my SSN, but many others do not. Until companies see that holding on to personal information is a liability rather than an asset, nothing is going to change.
(it's great if we get organizations not to hold onto personal information too, but at the level of society, the harm due to identity fraud is largely self-inflicted, we choose to allow organizations that fail to do reasonable diligence to push consequences onto individuals)
Yup, in the same way that guns are out of the bag in the us. What do we do to limit the threat to the public at large? The solutions may seem like band-aids but they may be the best that we have.
And this comment adds nothing to the conversation except as an example over-zealous wannabe moderation. No one's injecting anything, it was a literary tool called a metaphor. Personally, I thought it a clever parallel.
Whoa. It's a metaphor, maybe a sensitive one, but one nonetheless. "Please don't inject flamewar topics into a thread." --> I think your comment is off the mark. A 'flamewar' is not my intention at all.
There are hundreds of individuals at my financial services company that have access to millions of social security numbers. Very easy for that information to leak out.
If you desensitize the SSN, you are in effect granting near public access to a national database of all citizens, no? If you desensitize them, would it be an infringement on ones current rights if all state and local police and other law enforcement had access to a 3rd party collection of this national uniquely binding and certain form of id? Also, it would require a massive overhaul of credit dispersement, as well as the background check industry and many other systems. A much larger overhaul is required, if steps are not soon taken to formally regulate and monitor the storage and transfer of ssn's.
I was in a school like that which used SSN as primary identifiers. That means tests scores, homeworks, papers all around campus and trash bins with everyone's SSNs easy to see.
By the time I left they started to wise up and switched using a separate ID, but it took them way too long.
One of the biggest issues is they are not held accountable by any agency or law. For name, address, and social security number, there is no official regulation as to how they must be stored. For credit card data, there is the pci security standards. Which often subject institutions who choose to store payment information, to audits, as well as fines for violation. There still is no such standard for other personal information, SSN included.
> The breach was disclosed Friday, Cody said, because the university needed to confirm what information was accessed, who might be affected and set up resources for those affected before it was disclosed.
The breach happened Sunday, and it took MSU all that time to investigate it until they could announce it tonight, which is coincidentally the traditional time to announce bad news because everyone is checked out for the weekend? I'm not feeling a lot of good vibes about transparency here.
Frankly it sounds like this was discovered and disclosed a lot faster than most other similar incidents. The OPM hack took years for the government to disclose from the time they first knew of it. Linkedin, Target, Home Depot, and more than I can even remember at this point all took months to years to discover and disclose. 1 week is lightening speed.
I'm (almost certainly) in the database. I can't say I care about the timing of the announcement. Nor the credit monitoring that they are putting in place.
We need to move forward so that the information employers are required to collect for tax and employment eligibility don't cause problems if they are leaked. It's improved a great deal in the last few years, but it really shouldn't matter at all that an imposter knows name + ssn + a few other not at all obscure pieces of information.
> ... the traditional time to announce bad news because everyone is checked out for the weekend?
Not just the weekend. Here, anyways, in another big university town in the midwest, a lot of the students have already taken off and are heading home for Thanksgiving.
As an MSU grad, I feel like they handled this well. As anyone who reads Brian Krebs' site can tell you, a lot of companies have waited months to make similar announcements. It took them a week. Two years of protection is generous as well—usually it's a year in such breaches.
"The affected database contained records for all faculty, staff and students who were employed by the university between 1970 and Nov. 13, and all students who attended the university between 1991 and 2016."
I bristle a little at "handled this well". All they've done so far is disclose the basics. Great. But the breach covers just about every employee (student employees included) for the past 46 years plus all students since 1991. I'll defer judgement on how well they handle it. Mean time, credit monitoring; oh joy.
How is who your employer was private? I would never expect that to be confidential nor upset if it became public. Surprised, yes, but what's the harm? Your workmates all knew you worked there and could have tattled on you.
Ironically, they probably had to provide the credit monitoring company with all 400,000 of the affected people's private information in order to do so.
And I've been affected by a single breach in all these years: the breach at Experian, a credit bureau. So these folks can look forward to having their data lost a second time, because even these guys aren't immune to data loss.
Apparently a decade ago when I took the ACT, I gave the testing company my SSN. I listed this university as one to send my scores to for free. Apparently the ACT company not only gave them my scores but my SSN as well. On top of that, the university held on to my SSN for years after it was clear that I was never going to apply there.
Of course now as an adult, I know better not to give out my SSN, but many others do not. Until companies see that holding on to personal information is a liability rather than an asset, nothing is going to change.