Shostack + Friends Blog Archive


University of Tennessee, 1,900 SSNs, Bad Policies


The University of Tennessee notified about 1,900 students and employees yesterday that their names and Social Security numbers inadvertently were posted on the Internet.

A University of Tennessee student made the discovery about two weeks ago when she searched the Internet for her name and found it listed with her Social Security number on a UT e-mail discussion group site.

The names were contained in the archive of a group of about 10 employees in the bursar’s office and the IT office who had been computer conferencing. They had been exchanging information on individuals who had either paid or owed small amounts of money to the university.

The group’s address coding, or listserv, was improperly configured. Instead of the archive being private, it was coded public.

That’s an inaccurate description of the problem. The problem is that social security numbers were being slung around carelessly by email, rather than a student ID number assigned by the University. Then a second flaw was that the mail archive was public. But that flaw would matter a lot less if it hadn’t been for the policy failures of SSNs as identifiers, and then SSNs in email.

[From “UT students’ private data posted on the ‘Net,” via Farber’s IP list.]