Shostack + Friends Blog Archive


Colleges and SSNs

For a very long time, colleges have been using social security numbers as identifiers for their prospects, students, and alumni. This is starting to change, driven by liability and brand concerns. No school wants to transform your (hopefully) fond memories of your time there into a firestorm over privacy. From ZDNet:

Dunn said [Boston] college will also purge individuals’ Social Security numbers from all of its records in the future. He said schools have long used the identifiers to keep track of people in a number of ways but noted that increasing concerns over the security of computing systems used to store the information have caused the college and others to review the policy.

or see “Chico State computer system attacked by hackers” in the Chico Enterprise Record (Sacramento, CA):

More than 59,000 people connected to Chico State University will be contacted for what officials are calling the largest computer hacking incident the college has seen.

Notifications to anyone whose personal information was compromised were going out Tuesday, said Joe Wills, director of public affairs at the university.

That list includes current and former Chico State faculty and staff members. But the majority are students, since the server hackers targeted held the names and Social Security numbers of current, former and prospective students.

The easiest way to avoid this sort of story about your business is to not collect such data. Financial aid may cause you to need the SSNs of current students. Why on Earth do you need the SSN of a prospective student? Why do you need to maintain the SSN of an alumni? (If there are legal reasons, now would be a great time to get Congress to change them.)

4 comments on "Colleges and SSNs"

  • Colleges And SSNs

    Adam at Emergent Chaos has more on the recent story of data theft at Boston College. About colleges using SSNs…

  • Chris Walsh says:

    There’s a SB1386 disclosure archive run by (A Google search will get you the URL, which I cannot put here since it’d be stripped from this comment).
    A third of the disclosures it lists are from educational institutions. Whether this overrepresentation is due to greater vigilance, greater compliance with the law, or poorer protection of data by such institutions is an unanswered question, unfortunately.
    [Adam adds:]

  • The Q Speaks says:

    ID theft writ large

    Emergent Chaos points out there’s no reason for colleges to use SSN as ID numbers, a point all the more illustrated by…

  • How about “stop using social security numbers as passwords”

    Today I read on Martin McKay’s blog that you should change your default passwords and Adam
    Shostack has pointed out that colleges should usen’t use SSNs to track students. But
    apparently, no one told Jackson Community College not to use SSNs as the dwe…

Comments are closed.