Mississippi joins list of colleges leaking data

Ray was just surfing the Internet looking for information on an old friend. Instead, he found a gold mine for identity thieves -- a Web site full of documents listing hundreds of student names and Social Security Numbers. It was posted right on the University of Mississippi's Web site, there for anyone to see.

"I was just looking up an old college friend when I stumbled on this page," said Ray, who requested his last name be withheld. "I know this isn't something I should be able to see." 

There were about 20 documents listing fraternity and sorority members. Some had as few as five entries. The list of Phi Mu members included 189 names and Social Security Numbers.  In all, about 700 students were listed in the documents.

After a call from MSNBC.com, the university shut down access to the Web page Wednesday. Jeff Alford, assistant vice chancellor for university relations, said the files had likely been exposed on the Internet since 2003.

The information was published to the Internet by a former staff member in the dean of students office as a backup file, Alford said.  The staff member no longer works at the university, he said.

"It was information he had access to for his job," Alford said.  "For some reason, he saved the information as a backup file on the university (Web) server. It is a clear violation of our privacy policy, and a serious violation."

The backup file was created in August 2003, he said, and has likely been exposed to Internet users since then.

It would be difficult for users of the University Mississippi's Web site to stumble across the information as it was posted to an obscure address and not linked from anywhere else. But because it had been on the Internet so long, the information had been indexed by the major search engines. Anyone searching for one of the victim's names using Google or Yahoo would have been served a link to the Web page, including the Social Security Numbers.

"We take this very seriously," Alford said. "We will continue to investigate."

Universities at risk
The security lapse at the University of Mississippi comes at a time when news of privacy breaches at major universities have seemingly become commonplace. In recent weeks, high-profile data theft incidents at Boston College and the University of California at Berkeley have exposed over 100,000 people to identity theft. In March, Chico State in California had a theft incident involving 59,000 people. The University of Nevada-Las Vegas, the Wharton School of Business, and the Northwestern University Kellogg School of Management, have all reported theft incidents.  And on Wednesday, the San Francisco Chronicle reported that hackers may have stolen 7,000 identities from the University of California at San Francisco.

Jonathan Bingham, president of security firm Intrusic, issued a warning to colleges and universities last fall that increased hacker attacks were likely. He says schools have a unique challenge in the information security age.  The public, academic side of the university needs to maintain open standards and a spirit of free information sharing; but the corporate side of the university needs to guard critical financial information the way any financial institution would.

"Depending on the university, some don't have resources to develop two separate networks.  So they use the same resources for their public activities as they do their business activities," he said. Such practices predictably lead to theft of critical data. "Everything at a university is about sharing. Hackers know this."

He said the situation for schools has only gotten worse during the past several months because more criminals are becoming familiar with simple ways to find accidentally-exposed information through search engines like Google, popularly called "Google hacking."

The source who found the information on the University of Mississippi's Web site used a search engine -- he wasn't sure which one -- to find the leaked data.

"I'm concerned about the breaches we've been seeing and want to figure out how to get it through peoples' heads that this is not something that is harmless," Ray said.

Google yourself
Google hacking -- using the powerful search engine to find documents with private information that have been accidentally posted to the Web -- continues to be a concern security professionals.

A team of researchers gathered in Seattle last weekend for an impromptu Google hacking contest found hundreds of sensitive computer files, said Josh Pennell, CEO of IOActive, which participated in the hunt. His staff members found 300 passports which had been digitally scanned and placed online, along with about 3,000 Social Security Numbers. His team even found a set of internal employee performance reviews.

Pennell recommends consumers regularly Google themselves to see if their private information is lying around somewhere on the Web.

Consumers can enter their entire name in quotes in the search engine, as a start. Adding as a second search term part of a financial identifier -- such as the first few digits of a credit card number or a Social Security Number -- is an even more effective way to dig up accidental Web page listings. Entering full account numbers is a bad idea, because they will then be transmitted across the Internet across an insecure connection, and may end up stored in computers along the way.

But the most dangerous data is usually stored in Word Documents of Excel spreadsheet files that have been posted to the Internet, Pennell said. That was the case in the University of Mississippi incident.

"If you really want to find the scary stuff, look into the advanced features at Google," he said.  "And ask Google, 'I want to look for my name in all Word doc files or Excel spreadsheets.' That's where I see most of the scary stuff."

And if you find yourself, and your sensitive data, listed in a search engine results, you can take some action by contacting the search engine and requesting it remove the listing.

Bob Sullivan is author of  Your Evil Twin:  Behind the Identity Theft Epidemic.