no, thanks

Some people might say it’s a bad idea to place database files of current and former students and their housing information, indexed by their SSNs, on a web server. How else, I ask you, can a person can win free credit monitoring for one year? Whee!

From: @columbia.edu
Date: April 17, 2007
Subject: Information Security Breach at Columbia

Dear [selfish crab]:

On April 2, Columbia University’s Housing and Dining department was informed that three archival database files containing the housing information of some current and former students were inadvertently placed on a Columbia web server. Exposure was limited because there were no links to the files on any Columbia website and because the files could only be viewed with a Columbia University UNI and password and a specific type of software.

I am sorry to inform you that your name and Social Security number were included in one of the files. Please be assured that Columbia Public Safety investigators have concluded that this security breach was unintentional. No financial data was included in the files in question, and we have no evidence of wrongdoing or identity theft. Still, I wanted to advise you of this occurrence and the actions we are taking to reduce the chance of a future breach.

Information security is a serious issue for us, as we know it is for you. The above-mentioned files were immediately removed from the web server. Moreover, in the wake of this incident, Columbia Housing and Dining has taken steps to eliminate the use of Social Security numbers from its systems, both in room selection for current students and in its archival files.

As an additional precaution, Columbia has arranged for you to receive a free one-year subscription to a credit monitoring system. This service will provide you with a copy of your credit report, monitor your credit files at all three major credit bureaus (Equifax, Experian and Trans Union) and notify you of certain suspicious activities that could indicate identity theft. You will be mailed additional information about enrolling in this service in the next week.

If you do not wish to enroll in this service, you may still choose to activate a fraud alert with the major credit bureaus, or periodically run a credit report to look for potential irregularities and ensure that no new accounts have been activated in your name. Each agency has an automated fraud alert process. If you activate a fraud alert, the agency you contact will notify the other two agencies so that those agencies also can place fraud alerts on your accounts. In addition, each agency will provide you a copy of your credit report at no cost…

* * *

Sincerely,
[somebody important]
Executive Vice President
Student and Administrative Services

6 Comments

Leave a Reply