[Dataloss] Mendoza College of Business at the University of Notre Dame
Dissent
Dissent at pogowasright.org
Mon Jan 29 17:23:13 EST 2007
Note: This is a different breach than the U. of Notre Dame breach
reported at the beginning of the month. The hyperlinked notification
letter is at http://www.technologyreview.com/media/notre_dame.pdf --
Dissent.
http://www.technologyreview.com/blog/posts.aspx?id=17512&author=garfinkel
Last week I got a letter in the mail from the Mendoza College of
Business at the University of Notre Dame. Apparently, the school had
put information about me, including my social-security number (SSN)
and demographic information, on the Internet. "We have no evidence
to date that this information was used inappropriately," the school
wrote, but I might want to take "prudent ... precautions" by
periodically checking my credit report with the three major bureaus.
What's so infuriating about this is that I never had anything to do
with the University of Notre Dame.
In 2001, I was thinking about going back to graduate school, so I
took the GMAT, LSAT, and GRE exams. I checked off the boxes that
said that my information could be forwarded to schools so that they
could recruit me. A few schools contacted me, and that was that. Or
so I thought. It seems that the Graduate Management Admissions
Council didn't just provide my test scores and demographic
information: it also provided my SSN.
But why did the Mendoza College of Business keep that information
for six years? And how did it make it available on the Internet?
I called Notre Dame to find out what had happened and was told that
a file of GMAT names, scores, SSNs, and other information had been
inadvertently left on a computer that was decommissioned. At some
later point in time this computer was turned back on and plugged
into the Internet, and it made the files available through some kind
of file-sharing program. Google picked up the files, indexed them,
and added them to its archive. How was this discovered? Somebody did
a Google search on his or her own name and found the jackpot of
personal information.
The woman I spoke with from Notre Dame said that the school had
looked at the log files on the computer, and there were no other
signs of access other than by the one person who had accessed his or
her files. I'm not sure that this makes sense because she said that
there was also no evidence that Google had accessed the files, and
clearly Google had. Besides, if the information was cached by
Google, bad guys could have downloaded it directly from the cache
and avoided leaving traces at Notre Dame.
[...]
--
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss
More information about the Dataloss
mailing list