On Tuesday, February 18, 2014, the University of Maryland (UMD) suffered a massive data breach in which over 300,000 personal records for students, faculty and staff were leaked by hackers. The data was stolen from a database of ID cards issued to the individuals; a database which includes the names, birthdates, social security numbers and university identification numbers of over 300,000 people affiliated with the university.
According to the Washington Post, UMD vice president and chief information officer Brian Voss says that hackers broke in and duplicated the records without changing any information. He also said that the hackers must have had a very significant understanding of the security systems at UMD, as they had to go through several different steps to access this information. The university has launched a full-scale investigation in response to this breach, as people are rightfully upset about the attack.
However, while I agree that this is indeed a tragedy, let’s face it: UMD could have avoided this situation altogether if the university had a better security policy in place—especially when concerning Social Security numbers. Now, while I don’t know how the computer systems at UMD are protected, I do know that you should always encrypt sensitive data—particularly the very sensitive social security number. The Social Security Administration themselves warns against people using SSNs as primary identifiers for record keeping. They even go as far in saying to “never use SSNs on ID cards.” While I’m sure the ID cards did not display personal SSN numbers on them, the database did indeed include that information. Was it really necessary for UMD to use such sensitive information to distribute ID cards? Why not use personal addresses instead?
A UMD graduate who goes by the screen name Erik82 on washingtonpost.com commented on the breach, saying that he was annoyed that it’s now the second time UMD has offered free credit monitoring services because “they failed to protect my information." He continues on to say that UMD stated at the time of the last security lapse that they were removing Social Security Numbers from their records and using Student numbers to identify them. However, it’s clear by this latest breach that hasn’t happened.
What UMD needs to do is stick to what they said. Stop using SSNs to identify students. If you must absolutely use SSNs, at least use the last four numbers instead of using the full number. If you won't do that, at least have the records containing SSNs on a database unconnected to the internet or network to prevent data breaches.
Social Security numbers shouldn't be used as an identifier for a college ID. When concerning financial aid, proof of residence and other circumstances, SSNs need to be used, but in this case, it is completely unnecessary.
The solution? Keep SSNs out of public identification. Period.