Cornell Loses Computer With Everyone’s SSNs, All Students’ Credit Ruined Forever
Given the insanely high costs of tuition these days, college students have certain expectations of their academic institutions. These expectations include good concerts, at least one place on campus that sells crepes, and cops that aren’t complete buzzkills. Most importantly, students expect their college to keep their personal information safe. So when a Cornell-owned computer containing the names and Social Security numbers of thousands of Cornellians was stolen, it was clear that somebody focused too much on the crepes. On Tuesday afternoon, Cornell sent this e-mail to over 45,000 current and former students and faculty in order to say “our bad”.
Dear Current or Former Member of the Cornell Community:
Last week, we learned that a Cornell-owned computer that was stolen earlier this month contained your name and Social Security Number. Please accept our most sincere apologies for this unfortunate event.
In order to inform you of this situation as quickly as possible, we are sending you this email in advance of a formal notification via U.S. mail.
Hooray! We’re all fucked!
The entire e-mail after the jump.
Dear Current or Former Member of the Cornell Community:
Last week, we learned that a Cornell-owned computer that was stolen earlier this month contained your name and Social Security Number. Please accept our most sincere apologies for this unfortunate event.
In order to inform you of this situation as quickly as possible, we are sending you this email in advance of a formal notification via U.S. mail.
The official letter will detail the services that Cornell is offering you, at our expense, in response to this incident. There will also be a toll-free number you can call for additional information and assistance.
In the meanwhile, we urge you to visit a web site we have created with frequently asked questions (an FAQ) about this situation and some steps you can take yourself:
http://faq-june2009.cuinfo.cornell.edu
We will be updating this web page as more information becomes available. It is, however, the official notification letter that will contain the details about activating the services Cornell is making available and whom you can contact with any questions or concerns.
This incident underscores the need for ever more vigilant security processes. Cornell University is committed to maintaining the privacy of individuals’ personal information and takes many precautions to ensure its security. In response to incidents of theft like this one, and the increasing number of Internet-enabled computer attacks, the University is continually improving its systems and practices.
Once again, please accept our apologies for this incident. We deeply regret any inconvenience it may cause.
Thank you.
Polley A. McClure
Vice President for Information Technologies
Cornell UniversitySteven J. Schuster
Director, IT Security Office
Cornell Information Technologies
Although Cornell screwed up tremendously by losing a computer with the personal information of 45,000 people, at least they let us know about it as quickly as possible. That’s why they sent this e-mail just one week after they learned about the private information on the computer that had been stolen three weeks ago. I mean whoever stole the computer could have opened no more than three credit cards in my name by now. Four tops.
This is enough to upset anyone who entrusted Cornell with protecting their identity. Fueling the rage is the university’s official explanation as to how the personal data–normally only stored on computers located in physically safe place–ended up on a vulnerable computer:
A member of the Cornell technical staff, who is responsible for supporting our central administrative systems, was using these files to correct transmission errors found in the processing of the files. The data was being used for troubleshooting.
I may not know what an organization does with my Social Security number after I give it to them, but I’m pretty sure using it as an alternative to “the quick brown fox jumps over the lazy dog” isn’t supposed to happen.
But what’s done is done. Cornell allowed SSNs to be used as example data and now some hick in Danby has four hundred new credit cards with which to soup up his tractor puller. Obviously Cornell students are upset about this. However, I believe that we can reach an understanding with the university.
You see Cornell, I just gave you over $150,000 in order to attend your prestigious institution, live in the middle of nowhere, suffer through bitter cold winters, and earn a degree in a major that I ended up disliking by Junior year. In return, you gave me the worst job market in history, booked the Pussycat Dolls for Slope Day, and with this catastrophe, potentially ruined my credit for the rest of my life. Seeing as how it will be difficult for me and many of my fellow recent graduates to make money with no job and no credit from here on out, what do you say we forget about those student loans? It’s only fair. And don’t call me for donations either.
18 Comments | 
| 
Print This Post
Read more: alumni, Cornell, fail
Email – 
Search
About
Follow us on Twitter
Report a bug
Archives
RSS Feed
June 24th, 2009 at 9:26 am
Why are universities still using social security numbers to identify students? I understand why they did it when I was in college (‘79-’83)– it was an easy thing to use– but now, with all the identity theft issues, they ought to be using something else.
I’d suggest making it a 12 digit number that students themselves choose, such as your home phone # plus a couple of digits, something easy enough to remember. And if their computers are already rigged to expect only 10 digit numbers, that’d work too, although when your younger sibling goes off to the same school he or she would have to choose a different number.
One would expect a bit more intelligence from the Ivy League.
Do the other seven Ivies still use social security numbers?
June 24th, 2009 at 9:37 am
Yeah, huge FAIL on Cornell’s part.
June 24th, 2009 at 9:42 am
@Shawn:
I can’t speak for the other Ivies, but I go to Dartmouth and the administration definitely does not use people’s social security numbers for…anything, really. Instead, every student has an ID # generated for them that consists of 5 numbers and a letter. Dartmouth is way smaller than Cornell though so 5 numbers and a letter is pretty easy to work with. Whenever you take a test or want to sign up for something or have a question that the administration has to pull your file up to answer, you give your ID number which is in no way linked to your social security number. I know some schools in the midwest use an ID # plus the last 4 digits of your social, which is safer I suppose than what Cornell did.
June 24th, 2009 at 10:18 am
something extremely similar happened at columbia last year and as far as i know there were no incidents of identity theft because of it. not to downplay the craptastic nature of cornell’s failure, but it will most likely end up ok.
June 24th, 2009 at 2:34 pm
@well
Cornell uses student ID numbers as well. On tests and pretty much everything else we are identified by a 7 digit numerical code. That is not to say for loan purposes, pay purposes, etc. Cornell does not need and use our SSN.
June 24th, 2009 at 7:15 pm
I just graduated and it’s nice to know that Cornell still cares about me after I’ve left.
I can understand why they would notify us so late. Perhaps they understood the gravity of the situation and attempted to recover the computer as quickly as they could (obviously to no avail). Furthermore, publicly stating that 45,277 names and corresponding social security numbers are on the computer alerts the thief to the value of the computer.
What I don’t really appreciate is their nonchalant attitude towards this incident and the 45,277 affected. Maybe they cannot attach faces to the situation. How about a rally on campus with all the afflicted participating? I dare say 45,277 lives have been affected to various degrees, depending on the victim’s internal disposition and convictions, yet they present this fiasco as another incident that merely highlights the need to be vigilant with data…indeed, to quote a newscaster who reported about the sentiments of citizens in a neighborhood where a murder took place, “some of us feel that this should never have happened.”
Interestingly, the President (of Cornell) has been quiet on this matter, which perhaps is meant to downplay the situation. The lack of details on the incident as a whole further suggests this public relations strategy.
In their efforts to keep a lid on the incident, they foolishly overlooked another source of information that exists on the internet and is open to public access…the Cornell electronic directory, which may potentially list addresses and phone numbers of the 45,000 individuals affected. Each listed person on the Cornell electronic directory has a virtual business card, “vCard,” that can be downloaded.
Yes, in the worst case scenario, should the thief have evil intentions, what is to stop him or her from writing a script to download data on the 45,277 names and finding a more complete identity of individuals to further criminal intentions?
I am bordering on yellow journalism and sensationalism here, but the danger, however minute, is a possible one. While most Cornellians probably removed such sensitive information from their public directory, a small number of individuals may yet be affected. Hopefully this shall not be the case.
Certainly, if apologizing was enough, we wouldn’t need the police.
The lesson to be learned here is that “Only the paranoid survive.”
(From Andrew S. Grove, Intel Corp.)
June 24th, 2009 at 8:28 pm
There’s only one place to get crepes on campus, and it’s far out of the way and never open.
I can’t think of anywhere in Collegetown to get them either.
June 24th, 2009 at 9:10 pm
i wanna say Carriage House has them… sometimes? I’ve seen really shitty ones at Oakenshields on occasion. But yeah, they did’t get the crepes right either. But the apple cider’s pretty good.
June 24th, 2009 at 11:18 pm
To quote Andrew Grove above-
“Each listed person on the Cornell electronic directory has a… “vCard,” ”
So Ithaca is populated exclusively by virgins?
June 25th, 2009 at 2:42 pm
Wow, what a crazy thing to happen. I’m with the others- why are they still using the SSN? Perhaps it was just part of the information on the computer that was stolen.
June 25th, 2009 at 3:00 pm
i think this happened twice to me the year i graduated columbia in ‘07. it isn’t really that big a deal. they sign u up for some free service.
June 25th, 2009 at 11:06 pm
Is this BigTenGateblog?
June 26th, 2009 at 5:45 pm
Same thing has happened at least two times in last couple of years at UC Berkeley. These universities SERIOUSLY need to learn some real information security procedures (why were unencrypted SSNs stored ANYWHERE, much less on a laptop?). Ask any computer science undergrad about How Not to Store Confidential Data and they can give you a wonderful lecture on it. It’s not only irresponsible, it’s stupid.
June 27th, 2009 at 3:28 am
SAT question: How many different combinations can you get with a code consisting of 5 numbers and a letter?
I’m sure way, way more than Cornell would need.
June 29th, 2009 at 8:34 pm
Just guessing, but I know SSN are necessary for Financial Aid stuff such as FAFSA and all of that bullshit because it’s tied to your taxes and your parents taxes. I might be wrong, but I feel like that’s a plausible explanation for the use of SSNs.
Still, way to really fuck up, Cornell.
July 6th, 2009 at 12:57 pm
When I grow up
I wanna be broke
I wanna be ruined
I wanna be jobless
When I grow up
No credit cards
No employment
No apartment
Be careful what you wish for ’cause it just might happen…just might happen…just might happen…
July 6th, 2009 at 6:40 pm
You all need to get a grip. Honestly, what are the chances of your identity being stolen when there are over 45,000 individuals on that computer. Come on. You melodramatic freaks get a life.
July 6th, 2009 at 11:17 pm
http://www.washingtonpost.com/wp-dyn/content/article/2009/07/06/AR2009070602955.html?hpid=topnews