 "Photo:")
In 1998, the Internet was still a new invention for the academic world of Texas A&M. Professors who dared to use it were "cutting edge," maybe even "hip." There were no rules yet, no regulations. The Internet was the Wild West, without the bandits, and professors who used the Internet to reach their classes were the eccentric cowboys.
Now, 10 years later, the bandits are everywhere. Identity theft on the Internet is rampant, and the early files of those Internet cowboys from 1998 make for the easiest of prey.
Clyde Munster, a professor for the department of biological and agricultural engineering at A&M, was shocked this winter to learn that a spreadsheet containing the names, grades and partial Social Security Numbers of 44 students from a class he had taught in 1998 was discovered on the Internet.
The past was still available to be robbed by the present, and it took the University 10 years to realize it.
"Back then, the Internet was a relatively new way of disseminating course information," Munster said. "It's changed quite a bit. Now, it's pretty common to get your courses off the Internet, but 10 years ago, it was relatively new and not many people did it.
"The rules weren't really well understood. In many ways, there weren't any rules established, to tell the truth."
The file was an old Excel spreadsheet that had been used to organize the grades for a class. A&M students are familiar with using their Student ID numbers to access such information in most classes, but this is a relatively new method for student identification. SSNs used to be the norm and they weren't completely phased out until 2005.
Steve Searcy, the associate department head of the department of biological and agricultural engineering at A&M, said the information was stored in such a way that would not be acceptable with today's standards.
"At the age that I understand it is, in terms of information that was contained, it was probably a file that was handled in a way that may have been acceptable at the time," Searcy said.
"But with the increased level of security that is being enforced within the computer network system on campus, it doesn't meet the current standards. It may not have been any kind of a violation at the time, I believe [Munster] just wasn't aware that it was there at all.
"We certainly have been putting in place all the required security for our computing systems that have sensitive information on them. We have been getting a lot of directives from the University regarding how various files should be encrypted and how work stations should be locked, limited access and those sorts of things.
"At this department, we are making a firm and hard effort to follow all those guidelines."
The University's Computer Information Services helps departments to ensure that their data is secure.
"CIS is responsible for campuswide network security, while departments are responsible for securing their own networks and machines," said Willis Marti, director and chief officer of CIS networking and information security. "CIS provides information, security tools and assistance for departments to help them with their security responsibilities."
Marti said that due to the extraordinary amount of servers on campus, a number he estimated as in the thousands, CIS cannot check them all. Server data checking is delegated to the individual departments, to whom CIS plays a support role. Marti said CIS is continuously scanning for old data, such as that from Munster's class, using a program that scans files for SSNs and financial data.
Despite this security, CIS was not the organization to discover the security breach that dated back to 1998. The data was found by the third party organization SSNBreach.org, organized by the Liberty Coalition, a non-profit and non-partisan organization based in Washington, D.C.
The Liberty Coalition didn't have to beat all of the security protocols created by CIS at A&M to find the file. It found it the same way a student finds anything they want on the Internet - the Liberty Coalition Googled it.
"Most of what we've found, to be honest, we've found through Google, Yahoo and MSN," said Aaron Titus, the information privacy director for the Liberty Coalition. "We start thinking like a lazy ID thief. It's just using the search, no Google hacking or anything like that."
The Liberty Coalition uses SSNBreach.org to search the Internet for personal information breaches. It then contacts the source of the breach so that it can be aware of the issue and resolve it. After the data is secured, it puts out a press release so those affected can be aware of what happened.
"What we did is [when] we found the Texas A&M information, we document the names and types of information exposed," Titus said. "We then contacted Texas A&M and let them know about it, and they responded.
"We notified them Dec. 28. They confirmed the info was deleted Jan. 10. But it remained in search engine caches through late March 2008. As far as we can tell, the search engine caches have cleared. We have a strict policy; we wait for a search engine caches to clear before we make an announcement.
"Having said that, once it's on the Internet, it's thrown to the Internet winds. There's no way to get it back. For me, the most frustrating part is that nobody on this list [can be guaranteed they are safe]. I don't know if there's a copy of this on a Russian hard drive, or a Czech search engine - I just don't know."
However, this is not an event that happens only at A&M. Titus said it happens all the time.
"This story repeats itself almost weekly at some different university in the United States," Titus said. "[The document] sat there and some search engine, like Yahoo or Google, found it and picked it up.
"When you search the Internet, you aren't searching the Internet, you are searching Yahoo or Google's copy of the Internet. That's how they get you searches so quickly. So Yahoo or Google, maybe others, have a copy of this information.
"It's possible they deleted it, but not guaranteed. There's also no guarantee that for the year or more that it was available online, that other people didn't get to it also."
When Munster learned that a third party had so easily found his old information, he acted hastily to not only secure the data in question, but to secure any other old data that was lingering on the campus servers.
"I went through and checked everything," Munster said. "I took a lot of the old course material off the drives that could be accessed by the Internet. [The spreadsheet] was from '98, and I wasn't using that anymore. I'm not even teaching that class anymore - the department doesn't even have that class anymore.
"I went through and cleaned up everything that I didn't think was relevant and only kept one or two years back, and made sure it doesn't have any type of sensitive information in it."
Titus said that what Munster did was exactly what all professors at a University should to ensure their student's personal information remains confidential.
"A regular data dump policy that most universities and organizations do not have, but are getting, is absolutely important," Titus said. "The good thing is that Texas A&M doesn't have to wait for Google to come make a copy [of a document] first. They can just do their own search and find [potential breaches].
"Even though it's been exposed online, and they have a moral obligation to let those affected know, it will not be as widespread a breach as if it were picked up by a search engine.
"Professors and universities are very good at protecting current student information: current grades, current student IDs, current enrollment information and all that. We're not so good at protecting old information. Old information sitting on a hard drive, which was backed up, which was copied and forgotten and ends up somehow on a website."
Nobody blames Munster for the data that was discovered by the Liberty Coalition. His story serves as a wakeup call to the University that more must be done, that the personal information of all Aggies, past and present, must be cared for and protected diligently.
"This is a problem we are certainly serious about," Searcy said. "What they managed to find is something that was unintentionally left from 10 years ago. The practices around here in terms of how we protect student information were a little different than what we expect today.
"We don't want leave anything out there exposed. With all this having occurred, we are now conducting scans on our servers for files that might have information on them. We hope to prevent this from ever happening in the future."
"Texas A&M has a very good security record compared to other schools of our size," Marti said. "The University as a whole has a challenge because of its large scale. We are never satisfied unless we have no security incidents, leaks or disclosures. We must be constantly vigilant because of changes to technology."
Be the first to comment on this article!