Re: [MLUG - DISCUSSION] MU Gets Hacked, Loses 22,000 SSN!

Email address obfuscation in effect -- please click here to turn it off.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: MLUG Off-Topic Discussion <EMAIL:PROTECTED>
Subject: Re: [MLUG - DISCUSSION] MU Gets Hacked, Loses 22,000 SSN!
From: "Christian M. Cepel" <EMAIL:PROTECTED>
Date: Tue, 08 May 2007 14:42:44 -0500
Delivery-date: Tue, 08 May 2007 14:43:07 -0500
Envelope-to: EMAIL:PROTECTED
In-reply-to: <EMAIL:PROTECTED>
References: <EMAIL:PROTECTED> <EMAIL:PROTECTED>
Reply-to: MLUG Off-Topic Discussion <EMAIL:PROTECTED>
Sender: EMAIL:PROTECTED
User-agent: Thunderbird 1.5.0.10 (Windows/20070221)

You could be either an employee OR a student.

If you call the first of the three agencies and register a fraud alert, they will alert the other two.... all it does is causes them to phone the number you give them before approving any _new_ lines of credit and only for the next 90 days.

This does absolutely nothing to stop attacks on existing lines of credit. There is a service for that, but it costs quite a bit of money. Some companies/schools will pay for this service, but others don't. I expect there will be lots of pressure on MU in the next few days to pony up... right now their website pretty much can be redacted to the following statement, "We lost your SSN... here are some numbers.... it's up to you to make sure nothing happens.. the ball is in your court". I don't think that's going to fly and I myself have already responded telling them that I expect for them to pay for this service, and not for just the next 90 days. Scammers like this don't mind waiting 90 days to get the payoff.

Disturbing, but I think it's just the tip of the iceberg. There's no way for this information to be protected in todays world, especially when everybody and their dog and Joe-disgruntled-employee has access to it. What's the difference between the guy who's asking your SSN to take your phone bill payment and the guy who's got your SSN and is setting up lines of credit.... sometimes the difference is a bad day at work. The real responsibility here is with Congress and with the credit and lending institutions and credit reporting agencies. The only reason this is an issue is because of the ridiculous way in which our financial resources are managed and protected and our identities verified. Until we hold Congress responsible to reform (as far as I'm concern, the correct word is 'imprison') the credit reporting agencies and the way lenders and credit card companies do business so that the consumer is not constantly the looser in these scenarios, we can expect more of the same.

I have to present photo ID and a birth certificate to renew my license plate tags here in Missouri, but some schmuck with my SSN and birthdate can setup and utilize a 30k credit line on my person over the phone.

Bret Hammersland wrote:

On 5/8/07, Jerry Gamblin <EMAIL:PROTECTED> wrote:

http://www.columbiatribune.com/2007/May/20070507News054.asp

Ouch!

--
Thanks,

Jerry Gamblin

_______________________________________________
discussion mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/discussion


Looks like I am one of those 22,000 :(
They said the ones affected were employees in 2004 who were formerly
students.  My first semester was in 2004, but I wasn't an employee
then.  Weird.  I'll copy and paste the "you've been hit" emails below
in case anyone is interested.

Bret

-----------------------------------------------------------------------------------------------------------------------

From: UM DoIT Computer Security
Sent: Tuesday, May 08, 2007 10:04 AM
To: MU STAFF; MU FACULTY; UMHS; UM - ANNOUNCEMENT
Subject: Information About May 2007 University Computer Security Incident

Dear University of Missouri Employee:

A University of Missouri database was breached beginning May 3,
compromising more than 22,000 names and social security numbers. Those
affected include employees of any campus within the UM system during
calendar year 2004 who were also current or former students at the
Columbia campus.

Of those employees affected, nearly 9,000 are still employed by the
University of Missouri. These employees will receive an individual
e-mail outlining the specifics of the incident along with detailed
instructions about how to proceed. Emails to affected employees have
already been sent.  If you did not already receive a separate email,
you are not one of the employees affected and no further action is
required.

The University of Missouri is committed to protecting the
confidentiality of all employee information. A recent project has been
in progress to remove social security numbers from university
databases in an effort to avoid such breaches of confidentiality. As
this extensive process continues, please be advised the university is
doing everything possible to ensure the safety of its data.

For more information about the security breach, please access the
Computer Security Web page that includes a question-and-answer section
regarding the event at http://doit.missouri.edu/computersecurity.

-----------------------------------------------------------------------------------------------------------------------

May 8, 2007

Dear University of Missouri Employee,

I am writing to you because on May 3 and May 4, 2007, a database
containing the names and Social Security Numbers of certain current
and former University staff was accessed by an unknown individual or
individuals who gained unauthorized online access to a University
computer system.  Your name and Social Security Number were included
in this disclosure.

We do not know the specific purpose behind this unauthorized access,
but evidence indicates that the information was accessed
intentionally.  The University considers this a serious matter and has
notified law enforcement authorities.

Although we have no reason to believe that an unauthorized person is
using your personal information, because the database contained your
Social Security Number you may want to take steps to avoid possible
identity theft.  This could include placing a fraud alert on your
credit files to let creditors know to contact you before opening new
accounts.  You can do this by calling any one of the three credit
reporting agencies listed below.

Experian                                  Equifax
            TransUnion
888-397-3742                          800-525-6285
    800-680-7289

You may also wish to check your credit report.  You can get a free
copy of your credit report at www.annualcreditreport.com or by calling
877-322-8228.  When you receive your credit report, look it over
carefully for accounts you did not open.  Look for inquiries from
creditors that you did not initiate and look for personal information,
such as home address and Social Security Number, that is not accurate.
If you see anything you do not understand, call the credit reporting
agency at the telephone number on the report.

If you do find suspicious activity on your credit report, call your
local police or sheriff's office and file a police report of identity
theft.  You should get a copy of the police report in case it is
needed to give to creditors to clear up your records.  You should also
contact the Missouri Attorney General's Identity Theft Hotline at
800-392-8222 and file an Identity Theft Complaint Form with the
Attorney General's Office.

Even if you do not find any signs of fraud on your reports, you may
want to check your credit report every three months for the next year.
You can find additional information on the Missouri Attorney
General's website at http://www.ago.mo.gov/publications/idtheft.htm,
and on the Federal Trade Commission's website on identity theft at
http://www.ftc.gov/bcp/edu/microsites/idtheft.

We deeply regret that this occurred and are reviewing systems,
applications, and procedures in an attempt to remove the possibility
of an event of this nature recurring.

In order to answer any questions that you may have regarding this
incident a special phone line, (573) 884-7222 or toll-free (866)
241-5619 has been activated and will be answered from 8 AM to 5 PM
CST, Monday through Friday.  Additional information about this
security incident is available at
http://doit.missouri.edu/computersecurity.


Sincerely,

Gary K. Allen, DVM, PhD
Vice President for Information Technology, University of Missouri System
Chief Information Officer, University of Missouri-Columbia
225E University Hall, Columbia, Missouri 65211

_______________________________________________
discussion mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/discussion


--
Christian M. Cepel - Thistledowne Productions - http://thistledowne.org
Computer Support Specialist, Sr. - University of Missouri - Columbia
College of Education - School of Info Science & Learning Technologies
VRCbd, KidTools & StrategyTools Support Systems Projects, and Truman,
Library Whistlestop Project - Web Design & Programming - 573.999.2370


_______________________________________________
discussion mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/discussion

Follow-Ups:
- Re: [MLUG - DISCUSSION] MU Gets Hacked, Loses 22,000 SSN!
  - From: "Vern Green" <EMAIL:PROTECTED>

References:
- [MLUG - DISCUSSION] MU Gets Hacked, Loses 22,000 SSN!
  - From: "Jerry Gamblin" <EMAIL:PROTECTED>
- Re: [MLUG - DISCUSSION] MU Gets Hacked, Loses 22,000 SSN!
  - From: "Bret Hammersland" <EMAIL:PROTECTED>

Prev by Date: Re: [MLUG - DISCUSSION] MU Gets Hacked, Loses 22,000 SSN!
Next by Date: [MLUG - DISCUSSION] Re: [POLITICS] Democrat Debate
Previous by thread: Re: [MLUG - DISCUSSION] MU Gets Hacked, Loses 22,000 SSN!
Next by thread: Re: [MLUG - DISCUSSION] MU Gets Hacked, Loses 22,000 SSN!
Index(es):
- Date
- Thread