[Dataloss] Columbia University (NY) has posted SSNs on line for 16months

Casey, Troy # Atlanta Troy.Casey at McKesson.com
Thu Jun 12 15:33:32 UTC 2008

 "we have no evidence of wrongdoing"

Apparently Columbia University does not consider an employee posting its
students' social security numbers on the Internet to constitute
"wrongdoing."  Pretty lax practices by the University, considering this
same thing basically happened just 14 months before this incident!

At least the victims are afforded a heaping helping of the useless
credit monitoring service.  The University spokespeople seem to
acknowledge no culpability on the University's part.

We need some new legislation in this area.  Desperately.

And that's saying a lot coming from a libertarian like myself!

Troy D. Casey

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Henry Brown
Sent: Thursday, June 12, 2008 9:32 AM
To: dataloss at attrition.org
Subject: [Dataloss] Columbia University (NY) has posted SSNs on line for

 From the NY Sun http://tinyurl.com/5fnfxq Columbia Students Outraged By
Online Privacy Breach By ANNA PHILLIPS, Special to the Sun June 12, 2008

Angry Columbia University students are demanding an investigation after
it was discovered yesterday that 5,000 of their Social Security numbers
had been searchable online for the last 16 months.

Students received an e-mail message on Tuesday night from the vice
president of student auxiliary and business services, Scott Wright,
explaining that in February 2007, a student employee had posted a
database of students' housing information, including this reporter's, on
a Google-hosted Web site.

"No financial data was included in the file in question, and we have no
evidence of wrongdoing or identity theft," Mr. Wright said in the e-mail
message. "We are very sorry for this occurrence."

Columbia would not identify the student, saying only that the person had
worked in the university's housing office.

Administrators said they learned about the security breach June 3 when
an alumna contacted the housing office. Google removed the Web site upon

As a result of the security breach, Columbia is offering students a free
two-year subscription to a credit monitoring service.

Yesterday, students informed the school that the information of about
200 students was still searchable.

A Columbia spokesman, Robert Hornsby, said Google had removed the file
as of yesterday evening.

Several students yesterday created an online petition and posted it to
the main campus Web log, demanding that the university investigate the
former employee and issue a report explaining how security will be

A similar leak occurred in April 2007, when the university noticed that
three databases containing students' addresses and Social Security
numbers were online.

Dataloss Mailing List (dataloss at attrition.org)

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your traffic to find the data needing protection before it leaks out!

More information about the Dataloss mailing list