Mailing error at the University of Maryland exposes student information
Technorati Tag: Security Breach
Date Reported:
7/17/08
Organization:
University of Maryland
Contractor/Consultant/Branch:
Department of Transportation Services
Victims:
All students registered for Fall 2008 classes
Number Affected:
23,727
Types of Data:
Names, addresses, and Social Security numbers
Breach Description:
On July 1st, 2008, the University of Maryland Department of Transportation Services mailed an on-campus parking brochure to all students registered for Fall 2008 classes as of June 15, 2008. Recipient Social Security numbers were inadvertently exposed on the mailing labels.
Reference URL:
University of Maryland
ABC Channel 7 News
WTOP FM 103.5 News
Report Credit:
University of Maryland
Response:
From the online sources cited above:
On July 1st, 2008, the University of Maryland’s Department of Transportation Services sent all students registered at the time, by U.S. mail, a brochure with on-campus parking information.
On July 8, 2008, the University discovered that the labels on that mailing included the addressees’ Social Security numbers.
[Evan] Sheesh, a fraudster doesn't even have to tamper with the mail if the Social Security number is on the label.
The error was discovered on the morning of July 8 when calls were made to the University.
This parking mailer was sent to all individuals registered for Fall 2008 classes at the University of Maryland as of June 15, 2008.
The mailing list numbered 23,727 individuals.
In our annual effort to provide parking and transportation information to the University community, the names and addresses of all registered students was requested internally at the Department of Transportation Services for the purpose of creating mailing labels for a brochure.
This information was generated by a computer query and included names, addresses and what was believed to be University identification numbers (UIDs).
[Evan] When writing and executing database queries, isn't it a good idea to check the results and see if the information displayed is the information you were looking for? I wonder if UIDs are also nine digits long like Social Security numbers are.
Our normal process is to remove the University ID numbers prior to mailing.
[Evan] Is it safe to assume that "normal process" was not followed in this instance? If so, then why not? There is no mention in the school's response.
It was not apparent to departmental staff that these numbers not only still existed within the file, but were Social Security numbers, and not University ID numbers.
[Evan] Not apparent? They were on the labels!
The numbers were not identified as Social Security numbers and did not show the normal spacing between digits.
[Evan] So it would be xxxxxxxxx instead of xxx-xx-xxxx. What percentage of people would recognize the first set of nine digits as a SSN?
This mailer was sent using third class, bulk mail delivery and may not have been delivered to you yet.
Currently, there is no evidence that anyone's Social Security number has been misused.
The University apologizes and deeply regrets this unfortunate mistake.
We are initiating immediate action to ensure that this error does not recur.
[Evan] Like what? Maybe train people to review their query results and follow "normal process"?
The University of Maryland values the critical importance of your personal information.
We strongly recommend that you take appropriate precautions to mask, black out or destroy this document after use.
In unfortunate situations like this, it is possible that dishonest people may contact you asking for personal information in the guise of offering assistance from the University.
[Evan] Equally unfortunate is the fact that there are a lot of dishonest people.
Please note that the University WILL NOT contact you by phone, e-mail or in any other way requesting personal information regarding this incident.
Please do not release any personal information in response to contacts claiming to be from the University.
In response to this incident, the University, and specifically the Department of Transportation Services, has moved to severely restrict access to sensitive student and faculty/staff information; we believe the fewer individuals who have access to this data will only increase our ability to protect sensitive information.
If individuals feel that they would like to take extra steps beyond the fraud alert, the University has arranged with Equifax to make available, at no cost to them, a 12-month service that includes credit monitoring, customer care, fraud expense reimbursement insurance and access to their credit report.
If you have not received this mailer and are unsure if you are included in the affected group, please call toll-free 1, Monday - Friday, 8:30 a.m. - 5 p.m. EST.
You may contact us in one of the following ways:
By telephone: Toll-free 1, Monday-Friday, 8:30 a.m. - 5 p.m. EST
Via e-mail:
Mailing address: Regents Drive Garage, Building #202, College Park, MD 20742
Commentary:
The lack of attention to detail coupled with lack of control leads to an increase of risk of confidential information disclosure. Not all that uncommon.
Past Breaches:
Unknown
Date Reported:7/17/08
Organization:
University of Maryland
Contractor/Consultant/Branch:
Department of Transportation Services
Victims:
All students registered for Fall 2008 classes
Number Affected:
23,727
Types of Data:
Names, addresses, and Social Security numbers
Breach Description:
On July 1st, 2008, the University of Maryland Department of Transportation Services mailed an on-campus parking brochure to all students registered for Fall 2008 classes as of June 15, 2008. Recipient Social Security numbers were inadvertently exposed on the mailing labels.
Reference URL:
University of Maryland
ABC Channel 7 News
WTOP FM 103.5 News
Report Credit:
University of Maryland
Response:
From the online sources cited above:
On July 1st, 2008, the University of Maryland’s Department of Transportation Services sent all students registered at the time, by U.S. mail, a brochure with on-campus parking information.
On July 8, 2008, the University discovered that the labels on that mailing included the addressees’ Social Security numbers.
[Evan] Sheesh, a fraudster doesn't even have to tamper with the mail if the Social Security number is on the label.
The error was discovered on the morning of July 8 when calls were made to the University.
This parking mailer was sent to all individuals registered for Fall 2008 classes at the University of Maryland as of June 15, 2008.
The mailing list numbered 23,727 individuals.
In our annual effort to provide parking and transportation information to the University community, the names and addresses of all registered students was requested internally at the Department of Transportation Services for the purpose of creating mailing labels for a brochure.
This information was generated by a computer query and included names, addresses and what was believed to be University identification numbers (UIDs).
[Evan] When writing and executing database queries, isn't it a good idea to check the results and see if the information displayed is the information you were looking for? I wonder if UIDs are also nine digits long like Social Security numbers are.
Our normal process is to remove the University ID numbers prior to mailing.
[Evan] Is it safe to assume that "normal process" was not followed in this instance? If so, then why not? There is no mention in the school's response.
It was not apparent to departmental staff that these numbers not only still existed within the file, but were Social Security numbers, and not University ID numbers.
[Evan] Not apparent? They were on the labels!
The numbers were not identified as Social Security numbers and did not show the normal spacing between digits.
[Evan] So it would be xxxxxxxxx instead of xxx-xx-xxxx. What percentage of people would recognize the first set of nine digits as a SSN?
This mailer was sent using third class, bulk mail delivery and may not have been delivered to you yet.
Currently, there is no evidence that anyone's Social Security number has been misused.
The University apologizes and deeply regrets this unfortunate mistake.
We are initiating immediate action to ensure that this error does not recur.
[Evan] Like what? Maybe train people to review their query results and follow "normal process"?
The University of Maryland values the critical importance of your personal information.
We strongly recommend that you take appropriate precautions to mask, black out or destroy this document after use.
In unfortunate situations like this, it is possible that dishonest people may contact you asking for personal information in the guise of offering assistance from the University.
[Evan] Equally unfortunate is the fact that there are a lot of dishonest people.
Please note that the University WILL NOT contact you by phone, e-mail or in any other way requesting personal information regarding this incident.
Please do not release any personal information in response to contacts claiming to be from the University.
In response to this incident, the University, and specifically the Department of Transportation Services, has moved to severely restrict access to sensitive student and faculty/staff information; we believe the fewer individuals who have access to this data will only increase our ability to protect sensitive information.
If individuals feel that they would like to take extra steps beyond the fraud alert, the University has arranged with Equifax to make available, at no cost to them, a 12-month service that includes credit monitoring, customer care, fraud expense reimbursement insurance and access to their credit report.
If you have not received this mailer and are unsure if you are included in the affected group, please call toll-free 1, Monday - Friday, 8:30 a.m. - 5 p.m. EST.
You may contact us in one of the following ways:
By telephone: Toll-free 1, Monday-Friday, 8:30 a.m. - 5 p.m. EST
Via e-mail:
Mailing address: Regents Drive Garage, Building #202, College Park, MD 20742
Commentary:
The lack of attention to detail coupled with lack of control leads to an increase of risk of confidential information disclosure. Not all that uncommon.
Past Breaches:
Unknown
Posts Atom 1.0
Comments