According to the Chicago Maroon, student social security numbers (SSN) and grade reports may possibly have been compromised at the University of Chicago. The University has set up an Incident Response site where those affected by the compromise can find information about the event.
According to the Maroon article, the SSN of Alumni from 1990-2002, and the grade reports from Autumn 2003 are amongst the items believed to be compromised.
While I applaud the university for taking quick action and setting up a status website, I am hugely disappointed that they did not deem it necessary to inform affected students/alumni of what is a severe compromise of privacy and trust. I would also expect them to provide an aggregated list of compromised data, so that those affected know exactly what may have been stolen. If the Maroon is correct in its assessment of what data has been compromised, then I am among those whose data may have been stolen.
During my time at UChicago, I had the pleasure of working with some of the network administrators there, and I found them to be good people who valued the privacy of students. It is thus even more perplexing to me that I found out about this data compromise from news outlets, rather than by being informed by the university itself.
This was not the fault of NSIT. Krypton is not a secure server and the policy is clear: don’t put up things that need to be secure! Someone who had access to Krypton — and that’s a lot of people — uploaded secure information and made it world readable. As far as I know (contrary to the Maroon article) none of this information was available at any time directly from the internet. At the least you needed access to Krypton.
If, say, OUSH uploaded your personal information to a web server run by AOL would you upset with the OUSH or AOL? Everyone seems to be opting for the latter.
To “someone@uchicago.edu”, you’re quick to assume that I’m laying the blame on NSIT. In fact, nowhere in my post did I blame NSIT for how this has been handled. When I talk about the “university”, I use it to refer to the careless entity who uploaded private data onto a publicly accessible server. Given my dealings with those at NSIT, I don’t think there is anybody there who would be stupid enough to do this.
I said that the people at NSIT are good people, and I applauded their quick action. Ultimately, NSIT cannot be held responsible for what its users do. I think we are in agreement on this.
I remain disappointed with the organisation within UChicago who negligently stored this information on a publicly accessible server.
I’m not sure if this could really be called a “compromise” since there has been no “incident” (at the moment, no one is known to have stolen the data), but it is a severe security violation.
I’m glad that deligent Residential Computing staff found the information, but I do find it dubious that the information ended up on krypton in the first place. I am disappointed as well that that would occur.
The window of opportunity has also been sporadic since Rescom people have combing through the files periodically. I realize that is of little confort. NSIT ans associated organizations should have been auditing services immediately after sensitive files were first discovered.
What is sad is that some organization in the administration just really did not get it… and was uploading files up to last week.
My theory is that the information originated from the registrar’s office and was placed on krypton in order to transfer the information from one office to another within the administration. The perpetrators probably were not aware of the public nature of the server nor of the inherent insecurity.
I optimistically hope that the Good Guys ™ found it first and that the current situation will make people more aware of the sensitivity of the data they handle.