12:04 PM
Connect Directly
Repost This

University Of Wisconsin-Madison Leaves 60,000 SSNs Unprotected For Two Years

Colleges getting schooled on dangers of keeping social security numbers on file

A recent database breach that potentially exposed the Social Security Numbers of 60,000 former students and staff at the University of Wisconsin is bringing attention to the way higher education institutions store and protect SSNs -- even after they've been discontinued as a student identification number.

The breach came to light earlier in the month when affected victims were informed by a letter from the university that their data might have been breached after sitting in an unsecure database for more than two years. Like many universities around the nation, University of Wisconsin had discontinued the use of SSNs in student identification numbers in 2008 to better protect student identities. Unfortunately, the university retained information about affected individuals within the poorly protected database even after their IDs were deactivated.

University officials say they were made aware of an intrusion into the database in October and have not found the individuals responsible for the hack. Though sensitive data was stored within the database, it claims its forensic investigation didn't provide evidence that former student data was accessed.

"During our investigation and examination, we reviewed the available logs dating back to January 2008 and discovered the system suffered unauthorized accesses a number of times. However, supplemental logs available for a shorter time period did not show any evidence of file transfers consistent with the size of the database file that contained your personal information. Further, our investigation found no evidence that the unauthorized individuals were aware of your personal data in the database or that it has been retrieved or misused," the University of Wisconsin wrote in its letter (PDF) to potential victims.

According to Thom VanHorn, vice president of global marketing for AppSec, universities face a challenging situation because they often store data about large numbers of former users within their data stores, which tend to be spread out and inconsistently protected. "The thing with educational institutions is that you're not just talking about current students, you're talking about years and years of alumni," he says.

Often old data is retained within test databases that remain online and slip through the cracks of the security infrastructure.

"That's why it's so important for organizations not only to protect their production databases, but also to protect databases that are connected to the network that were test databases," VanHorn says. "Because the database infrastructure is only as strong as its weakest link, and once you're on the network you can probe around and find test databases that have actual data."

University officials say that since the incident, it has taken all student ID card numbers with SSN information offline.

The University of Wisconsin breach was one of two major data breaches to beset a large higher education institution within the past several weeks. Last week, Ohio State University announced a breach that exposed 760,000 students, alumni and staff.

According to AppSec, since 2008 colleges and universities have exposed more than 2.3 million records.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web