Newsfeed
Printer-Friendly ModeConfidential
Recent thefts of thousands of Social Security numbers by hackers leave universities reassessing security measures to protect student records
December 12, 2005 —
College. When we usually think of it, several ubiquitous images come to mind. Unwanted weight gain. Copious amounts of homework. Cups of coffee to jumpstart the morning, and cups of beer to get the nighttime party started.
You might want to add something else to the list: identity theft.
Michigan State University had 27,000 Social Security numbers compromised through a summer attack on their College of Education server. This May, a hacker may have accessed 8,000 Social Security numbers at Jackson Community College in southern Michigan. Countless other colleges and universities have been affected by identity theft, through hacking, as well as mismanagement of paper records.
For students across the country, identity thieves are jacking up the price of a college education, leaving victims holding the costs. The Federal Trade Commission estimates that the number of identity theft victims across the country is approaching the 10 million per year mark. Already saddled with an average of nearly $20,000 in debt upon graduation, college students are disproportionately victims of identity theft.
Why? Many colleges still keep track of their students through their Social Security numbers. And while using Social Security numbers as student identification numbers may cut costs at the administrative level, tech-savvy criminals are taking advantage of this.
At the same time, students are barraged with a steady stream of unsolicited credit card offers, are constantly shopping on eBay and other e-commerce sites, and other students often have easy access to their bills. It takes very little for a student to set their credit card bill on the kitchen table, and for a guest in the room to swipe it surreptitiously. Combine that with the fact that many students live in close proximity to one another, and it becomes easy for identity thieves to prey on unsuspecting students.
Protecting Social Security numbers
One of the chief priorities for Information Technology Services (ITS) at SVSU is to protect the personal information of students, faculty, and staff. Yet, they concede that every new day brings new challenges for them to confront.
"We are always looking to improve our security status," says Ken Schindler, executive director of ITS.
Recent college identity thefts have usually resulted in Social Security numbers being compromised. While data being compromised does not necessarily correlate to identity theft, the protection of Social Security numbers is among the highest priorities for ITS.
Mary Aumann, operations manager and security manager for ITS, says that institution-wide policies protect the security of Social Security numbers.
"The college database where Social Security numbers are kept is not accessible through Cardinal Direct," Aumann says. "There is only one database where the Social Security numbers reside in."
Security for the Social Security database is among the highest at the University. Three levels of security, including two separate firewalls, guard access to the Social Security numbers. In addition, passwords for ITS staff using the Social Security database are different from any other of the common access points, such as e-mail. At the end of each year, external auditors come in to analyze and review the security features. While ITS concedes that these protections alone would not likely prevent a dedicated hacker, it will prevent all but the most sophisticated criminal from garnering access to Social Security numbers.
"Every person with a login signs a FERPA agreement," Aumann says, which prevents staff from giving out Social Security numbers or other sensitive data without explicit permission. Social Security numbers are not disseminated in both intra-office mail, and through GroupWise, the e-mail for faculty and staff.
Employees are also restricted access to the Social Security database, except on a need-to-know basis.
"We are in the tail end of a two-year project to secure Social Security numbers," Schindler says.
Protecting other information
Social Security numbers are not the only personal information that ITS is responsible for protecting. Financial records, insurance information, and checking account numbers are just a few of the things that need to be protected. And while identity theft usually occurs in careless management of paper records, or in online hacking, ITS feels that its main responsibility lies with protecting the e-information.
"In IT, we are more concerned about access from online," says Pat Samolewski, director of Information Technology Services. "Individual offices should be more concerned about leaving reports out."
Even though they are primarily concerned with protecting digital data, ITS recognizes that so-called "dumpster divers" (people who prey off of unprotected paper receipts) can pose an equally great threat to protecting identities.
To counter these potential threats, ITS employs what they call an "industrial-sized" shredder to safely eliminate paperwork at the end of the year. Constant shredding also occurs throughout the year, both for space and security reasons.
Identity theft resources
The Identity Theft Resource Center (www.
idtheftcenter.org) is a non-profit organization that aims to inform people about the prevalence of identity theft, and how to prevent it. Founded in 1997 by Linda Foley, herself a victim of identity theft, the ITRC works with law enforcement and other agencies to help protect the public.
Foley says that 50 percent of identity theft breaches have occurred at educational facilities across the country, mostly because many colleges still use students' Social Security numbers as identification numbers. While SVSU uses a separate number for identification purposes, she says that security needs to be constantly tested and checked, in order to find weaknesses.
Foley also says that much of the burden for protecting students' identities lies with the students themselves, rather than with the university. Since state-supported universities (such as SVSU) are not necessarily within the purview of the federal government when it comes to potential identity theft legislation, the burden of protection falls down much harder on the students themselves.
"Don't give out your Social Security number to anyone unless it is absolutely necessary," Foley says.
Foley adds that college students should be aware of scams specifically targeting college students, such as credit card offers that seem too good to be true.
"You should be checking your credit report annually," she says.
Students without a credit history should still check to be on the safe side, just to be sure that no one has secretly charged bills at your expense, Foley says.
Last, Foley points out that the constant clustering of students makes it very easy for someone to swipe your credit card bill, or another piece of valuable information.
"Shred, shred, shred! I know your roommates are going to be your best friends, but unfortunately we live in a world where we cannot trust anybody," Foley says.
Preparing for the future
While ITS believes that there have been no security breaches, they recognize that protecting confidential information is an evolving process. There may have been no identity theft yet, but there is no guarantee that identity theft will not happen at SVSU.
"If anything occurred, we'd be really early on the group of people that would know," Schindler says.
Yet often, the desire for security clashes with the desires of the students for easily accessible information.
"On one hand, we are supposed to provide students open and ready access. On the other hand, we have to protect the information," Schindler says, stating that the issue of securing information has become much more complex over the past five years with the advent of Blackboard, and continued advances in technologically based curriculums.
Samolewski says that a timeout feature in the computer labs is being studied for possible implementation. After a designated period of inactivity, the computers would log themselves out. This used to exist in the labs, but caused problems, so it is unclear whether or not it will be implemented.
"The biggest thing I'd like to get is an expiring password," Schindler says. This would require students to change their password at a fixed time interval, such as every four months, and would make it more difficult for identity thieves to access a student's password. This proposal has been recommended by ITS, but has not yet been accepted.