Sensitive Columbia University student information exposed for 16 months
Technorati Tag: Security Breach
Date Reported:
6/12/08
Organization:
Columbia University
Contractor/Consultant/Branch:
None
Victims:
Current and former students
Number Affected:
5,000
Types of Data:
Housing information including Social Security numbers
Breach Description:
"On June 3, Columbia University's Housing and Dining department was informed that one archival database file containing the housing information of approximately 5,000 current and former undergraduate students was found on a Google-hosted website."
Reference URL:
New York, The Sun
The BWOG
Columbia Housing & Dining SSN Security Breach petition
Report Credit:
The BWOG
Response:
From the online sources cited above:
On June 3, Columbia University's Housing and Dining department was informed that one archival database file containing the housing information of approximately 5,000 current and former undergraduate students was found on a Google-hosted website.
[Evan] Columbia University was informed by an alumna. The URL for the information was To see how the page looked on 5/23/08, see here (this is a cached site that does not allow for any disclosure of information, and may not be available for long).
Google removed this file, at our request, that same day.
[Evan] Some students reported that some of the personal information was available in cached indexes for some time.
Columbia Public Safety investigators have concluded that this security breach was unintentional.
No financial data was included in the file in question, and we have no evidence of wrongdoing or identity theft.
It appears that the file was inadvertently posted by a former student employee in February 2007.
[Evan] The question people are asking is why did a student have access to such sensitive information and what kind of training was provided for handling confidential information. Obviously mistakes are much more common in situations where people are not well trained.
Columbia would not identify the student, saying only that the person had worked in the university's housing office.
it is important for you to be aware that your name and Social Security Number were included in the file.
We are very sorry for this occurrence.
Columbia University is continually strengthening its measures to protect Social Security Numbers where they are required in our systems.
Housing & Dining manually eliminated Social Security Numbers from its online room
selection process and contracts in April 2007.
[Evan] This was a good move in my opinion. Social Security numbers shouldn't be required for housing selection at college.
Further, in spring 2008, Columbia Housing and Dining implemented a new software system to manage and improve the housing assignment, contract, and billing processes which also does not use Social Security Numbers.
[Evan] Another good move. Automated processes are much less error prone.
Columbia has arranged for you to receive a free two-year subscription to a credit monitoring service
We sincerely apologize for the inconvenience this has caused you.
If you should have any questions or comments, please contact us by calling 1 or by emailing (mailto:).
Several students yesterday created an online petition and posted it to the main campus Web log, demanding that the university investigate the former employee and issue a report explaining how security will be increased.
[Evan] The petition site is located at this URL: www.petitiononline.com/breach/petition.html
Commentary:
The cause of this breach seems obvious. It seems that a poorly trained, part-time student-employee posted confidential information online and probably gave little thought to any potential security implications. Poorly trained, part-time employees will probably make more mistakes than well trained, full-time employees. Makes sense. It's probably not a good idea to allow poorly trained, part-time employees to handle sensitive information.
I am glad to read that Columbia University Housing & Dining services no longer uses Social Security numbers in "online room selection process and contracts" or "housing assignment, contract, and billing processes".
I suggest that readers take a look at the comments on The BWOG article.
Past Breaches:
April, 2007 - "three databases containing students' addresses and Social Security numbers were online" according the The Sun story (referenced above)
Date Reported:6/12/08
Organization:
Columbia University
Contractor/Consultant/Branch:
None
Victims:
Current and former students
Number Affected:
5,000
Types of Data:
Housing information including Social Security numbers
Breach Description:
"On June 3, Columbia University's Housing and Dining department was informed that one archival database file containing the housing information of approximately 5,000 current and former undergraduate students was found on a Google-hosted website."
Reference URL:
New York, The Sun
The BWOG
Columbia Housing & Dining SSN Security Breach petition
Report Credit:
The BWOG
Response:
From the online sources cited above:
On June 3, Columbia University's Housing and Dining department was informed that one archival database file containing the housing information of approximately 5,000 current and former undergraduate students was found on a Google-hosted website.
[Evan] Columbia University was informed by an alumna. The URL for the information was To see how the page looked on 5/23/08, see here (this is a cached site that does not allow for any disclosure of information, and may not be available for long).
Google removed this file, at our request, that same day.
[Evan] Some students reported that some of the personal information was available in cached indexes for some time.
Columbia Public Safety investigators have concluded that this security breach was unintentional.
No financial data was included in the file in question, and we have no evidence of wrongdoing or identity theft.
It appears that the file was inadvertently posted by a former student employee in February 2007.
[Evan] The question people are asking is why did a student have access to such sensitive information and what kind of training was provided for handling confidential information. Obviously mistakes are much more common in situations where people are not well trained.
Columbia would not identify the student, saying only that the person had worked in the university's housing office.
it is important for you to be aware that your name and Social Security Number were included in the file.
We are very sorry for this occurrence.
Columbia University is continually strengthening its measures to protect Social Security Numbers where they are required in our systems.
Housing & Dining manually eliminated Social Security Numbers from its online room
selection process and contracts in April 2007.
[Evan] This was a good move in my opinion. Social Security numbers shouldn't be required for housing selection at college.
Further, in spring 2008, Columbia Housing and Dining implemented a new software system to manage and improve the housing assignment, contract, and billing processes which also does not use Social Security Numbers.
[Evan] Another good move. Automated processes are much less error prone.
Columbia has arranged for you to receive a free two-year subscription to a credit monitoring service
We sincerely apologize for the inconvenience this has caused you.
If you should have any questions or comments, please contact us by calling 1 or by emailing (mailto:).
Several students yesterday created an online petition and posted it to the main campus Web log, demanding that the university investigate the former employee and issue a report explaining how security will be increased.
[Evan] The petition site is located at this URL: www.petitiononline.com/breach/petition.html
Commentary:
The cause of this breach seems obvious. It seems that a poorly trained, part-time student-employee posted confidential information online and probably gave little thought to any potential security implications. Poorly trained, part-time employees will probably make more mistakes than well trained, full-time employees. Makes sense. It's probably not a good idea to allow poorly trained, part-time employees to handle sensitive information.
I am glad to read that Columbia University Housing & Dining services no longer uses Social Security numbers in "online room selection process and contracts" or "housing assignment, contract, and billing processes".
I suggest that readers take a look at the comments on The BWOG article.
Past Breaches:
April, 2007 - "three databases containing students' addresses and Social Security numbers were online" according the The Sun story (referenced above)
Posts Atom 1.0
Comments