Binghamton University Potentially Loses Thousands of SSNs...

[Straha]

Binghamton University has once again dropped the ball on securing the private information of students and parents. In a titanic breach of security, Binghamton University kept payment information for every student, possibly dating back at least ten years in a storage area next to one of the most trafficked lecture halls on campus, behind a door that was not only unlocked but taped open. The information itself contained social security numbers, credit card numbers, scans of tax forms, business information (including social security numbers and salary information for employees of students' parents), asylum records and more, all kept in a haphazard and disorganized fashion, sprawled out in boxes, in unlocked (yet lockable) filing cabinets and shelving units. And, to seemingly add insult to injury, the university left dollies and a shopping cart in the room, apparently to aid in any attempted theft. (Pictures of the room are beneath the story.)

Over the recent years Binghamton University has acquired a reputation for being less than able to defend its students', and former students', personal information, especially when it comes to Social Security numbers. Over the past year alone the university has, inadvertently, e-mailed the social security numbers of 338 students in its school of management to over 200 students, has sent personal information of exchange students (including scans of passports and birth certificates) to student groups, and has, most recently, unceremoniously dumped the information of over 70 former graduate students into dumpsters on top of piles shredded documents. In response to these egregious breaches the university administration created an Information Security Council, with a dedicated full time “information security officer” chairing the council, to make sure no new breaches would ever take place. This breach, however, is by far the worst to ever take place on Binghamton University's campus, and possibly any campus in recent history.

Last week WHRW News reporters were exploring the lecture halls of Binghamton University, a public building open to all people until very late in the evening. While wandering around they came across a door in a lecture hall which was taped open. Inside the door was what seemed to be the “hall of student records,” for lack of a better term. Inside the two floor storage space were multiple unlocked filing cabinets appearing to contain records of tuition payment for every student of, at least, the past four years. The records were sorted by year and social security number, and included at the bottom of some of them credit card numbers of the payees. Next to those filing cabinets were filing cabinets with records of students establishing residency in the state of New York, these files are much more troubling than the receipts of tuition payment because they often contained tax information, and copies of social security cards, of students' parents. One particularly troubling file contained scans of a student's social security card, drivers license and vehicle registration, scans of a letter from the U.S. Government to his mother granting her asylum, scans of the student's parent's tax W-9 tax forms, containing both their social security numbers, and scans of the tax forms for the small business they own, which included social security numbers and vital information of employees of the business.

This was, however, only the tip of the iceberg. In other filing cabinets were what appeared to be receipts of credit and debit card payments to the university, scattered around the two floor space were binders dating back as far as the mid-nineties stuffed full of papers with records of payment to the university for a variety of student accounts (sorted by social security number,) and, perhaps worst of all, a box of tax forms, containing addresses, names, social security numbers and more, sent out to students that were returned to Binghamton University due to failure of delivery. This box, the binders, and piles of important information were left on top of (lockable) filing cabinets and on book shelves with no form of security, or even seeming indexing.

It's horrifying to think that the worst part of this breach can't be placed between the taped-open door allowing easy access to such a vital room, the lack of almost any real organization or indexing of the records and documents preventing investigation into which files were stolen if a theft occurred, or the shopping cart and dollies left in the room to help, one can only suppose, expedite any information theft attempts. Perhaps the worst part of this was the location. The room in which all of this was stored has two doors opening into a regularly used classroom, and is the only access route for a catwalk over the classroom, which was the only access way for special lighting in the room. One can only imagine how many technicians and janitors may have had access to these rooms for seemingly mundane tasks.

Quantifying this breach is hard. Binghamton University has a yearly enrollment of roughly fourteen thousand people. If the information inside the room pertained only to the current students enrolled and their parents that would mean the story would effect, roughly, forty-two thousand people. However, because the information goes back at least ten years, if not more, the potential number of people effect lies well in the hundred thousands. There is no way to know if Binghamton University can keep track of everyone's information that was in the room, or if they could contact them all with information about the breach. Thankfully, however, there is no evidence, as of yet, that there was any theft or breach of security procedures. Though, given the lack of organization in the room and the ample access provided to the room, that is hardly a reassuring thought.

WHRW News has offered to cooperate fully with the university in sharing all information that it found in return for an agreement from the university that there would be no pressure placed on it by its administration, and that reporters would not be prosecuted. Despite verbal assurances that an agreement would be forthcoming, the university has since changed its tone and has declined to offer such agreement. In fact, a official of the university has said, outright, that the News Director of WHRW News should seek personal legal council immediately.

There are pictures on the other side of the link... wow.

[Imperial Overlord]

This is one of these stranger than fiction occurrences. If I had wrote something like this in a story, no one would believe it.

[FSTargetDrone]

When I was at Penn State in the early 90s, they used Social Security Numbers for Student ID numbers, printed right on the front of the ID card. Guess how often those cards were lost by people?

I sure hope they changed that system.

[Pelranius]

Ah, social security numbers. For a moment I thought that Binghamton had lost a boatload (pardon the pun) of nuclear attack submarines.

[FSTargetDrone]

Ah, social security numbers. For a moment I thought that Binghamton had lost a boatload (pardon the pun) of nuclear attack submarines.

Yes, but, who has "thousands" of submarines?

[Narkis]

And here I thought nothing could top my old college: They accidentally e-mailed the wage report of every single professor and staff member to every single student that had a registered e-mail account two years ago. I think the students are still using those numbers every time the dean says there's not enough money to fix/upgrade something.

[Zixinus]

Holy fucking shit, are you telling me that the university has worse security than my high school?

[Aratech]

Holy fucking shit, are you telling me that the university has worse security than my high school?

Yeah... this is surreal. I didn't realize that these morons were taking lessons from the British Government when it came to securing private data.

Someone needs to get fired for this. It's beyond incompetent, its criminally negligent.

[Erik von Nein]

The community college I went to did the exact same thing. They put SSN numbers on student cards, then warned students to keep track of them and never, ever lose them because ... they have your SSN number on them. They did this until the exact same thing happened, where a ton of SSNs got stolen. Then they did the brilliant thing of switching to a bar code — that was still your SSN. Finally they've moved on since then, but it was really dumb.

[Aratech]

The community college I went to did the exact same thing. They put SSN numbers on student cards, then warned students to keep track of them and never, ever lose them because ... they have your SSN number on them. They did this until the exact same thing happened, where a ton of SSNs got stolen. Then they did the brilliant thing of switching to a bar code — that was still your SSN. Finally they've moved on since then, but it was really dumb.

Were the colleges/universities that I attended/attend the only ones expecting college level students to be smart enough and responsible enough to memorize their freaking SSN?

[Erik von Nein]

Well, no. They expected you to have your SSN on hand for other reasons, since having a student ID wasn't necessary. They were just using it as an ID number because it was readily available and unique to everyone. Now you most certainly need to memorize your SSN, at least.

[Molyneux]

...jesus.
My brother goes to this school, and I went there as well...the only ray of sunshine in this seems to be that they don't know that anything was stolen.

[Genii Lodus]

The business of using your SSN as a unique identifier seems very strange from a UK perspective. The equivalent over here would be your National Insurance Number which is only really every asked for by employers. I don't see why the SSN would find such ubiquitous use, my university just issues us an 8 digit number which isn't hard to remember after you've used it every single time you need to log into a computer. I can understand that in a lot of institutions this usage was prevalent before online fraud became so easy and prevalent but it still doesn't explain why they started using SSNs in the first place.

[Kodiak]

As a nitpick- "SSN Number" is redundantly redundant, just like "ATM Machine"

At California State schools they used the SSN as a student identifier for a long time that was accessible by professors, staff, and most all of the administration. Some teachers posted test scores on the door of their office without NAMES (so nobody would be embarassed), but with the SSN instead 2 years into it they made a change and issued everyone 12 digit Student ID Numbers to everyone and removed the SSN entirely from the record keeping system.

I can't believe they protected their students' identities with scotch tape, it's mind-boggling

[The Duchess of Zeon]

Yeah, I've never been to a school where the SSN was used as an identifying number; all the ones I've attended had already switched over to unique eight-digit student ID numbers.

[folti78]

The business of using your SSN as a unique identifier seems very strange from a UK perspective. The equivalent over here would be your National Insurance Number which is only really every asked for by employers.

Same here, because the use of the 3 ID numbers every adult has to have (hungarian SSN, tax ID and personal identifier) are heavily regulated.

I don't see why the SSN would find such ubiquitous use, my university just issues us an 8 digit number which isn't hard to remember after you've used it every single time you need to log into a computer. I can understand that in a lot of institutions this usage was prevalent before online fraud became so easy and prevalent but it still doesn't explain why they started using SSNs in the first place.

IIRC it's the case of lax data protection regulations*, coupled with institutional lazyness. It's already there, uniqe, so why not use?

* if memory serves, databases containing SSN's were available commercially even from government institiutions up to the first-half of the 00's. Or maybe longer...

[General Zod]

* if memory serves, databases containing SSN's were available commercially even from government institiutions up to the first-half of the 00's. Or maybe longer...

The only databases like that I'm aware of are ones involving dead people. Those numbers are generally fairly useless once the person's no longer living.

[Phantasee]

I used to work at Canadian Tire here, a big retail chain in Canada. They used our SINs (Social Insurance Number) for the employee ID, which we had to use every time we punched in and out. That meant start of the shift, lunch, back from lunch, and end of shift. I was always a little dumbfounded when someone would be rushed to get to lunch, so they'd shout their SIN to their buddy so that one person could log two or more people out.

At least I remember mine very well now, as long as I can see a numeric keypad in my head...

[Rogue 9]

My workplace uses the last four digits of the SSN for the punch clock, which infuriates me; it wouldn't be hard to get a number that isn't so drastically important to use for that purpose, considering he employs maybe twenty people.

As for the story in the OP, as it notes in the last paragraph of the story, Binghamton University is threatening legal action against the station's news director. I have a few more details than that by word of mouth (he's on my e-mail contacts list; the reason is a long story), but I can't see what they hope to accomplish; the reporting is a clear First Amendment issue, and if they press trespassing charges they commit legal suicide by openly admitting that they stored the documents unsafely.