Last week I got a letter in the mail from the Mendoza College of Business at the University of Notre Dame. Apparently, the school had put information about me, including my social-security number (SSN) and demographic information, on the Internet. “We have no evidence to date that this information was used inappropriately,” the school wrote, but I might want to take “prudent … precautions” by periodically checking my credit report with the three major bureaus.
What’s so infuriating about this is that I never had anything to do with the University of Notre Dame.
In 2001, I was thinking about going back to graduate school, so I took the GMAT, LSAT, and GRE exams. I checked off the boxes that said that my information could be forwarded to schools so that they could recruit me. A few schools contacted me, and that was that. Or so I thought. It seems that the Graduate Management Admissions Council didn’t just provide my test scores and demographic information: it also provided my SSN.
But why did the Mendoza College of Business keep that information for six years? And how did it make it available on the Internet?
I called Notre Dame to find out what had happened and was told that a file of GMAT names, scores, SSNs, and other information had been inadvertently left on a computer that was decommissioned. At some later point in time this computer was turned back on and plugged into the Internet, and it made the files available through some kind of file-sharing program. Google picked up the files, indexed them, and added them to its archive. How was this discovered? Somebody did a Google search on his or her own name and found the jackpot of personal information.
The woman I spoke with from Notre Dame said that the school had looked at the log files on the computer, and there were no other signs of access other than by the one person who had accessed his or her files. I’m not sure that this makes sense because she said that there was also no evidence that Google had accessed the files, and clearly Google had. Besides, if the information was cached by Google, bad guys could have downloaded it directly from the cache and avoided leaving traces at Notre Dame.
I called a friend who works in the privacy industry. He said that the GMAT never should have distributed my SSN with this file–there was no reason to do so–and he added that it has since stopped the practice. He also said that universities like Notre Dame are responsible for the majority of the privacy breaches that have been disclosed to date. (That’s true, but the flip side is that more names have been released by businesses because they tend to have bigger databases.)
Where does this leave me? More annoyed than anything else. The real problem isn’t that personal information keeps getting leaked, but that personal information is so valuable. The reason SSNs can be used for identity theft is that banks and other financial institutions think that if you know somebody’s SSN, then you must be that person. This has got to change.
Keep Reading
Most Popular
The inside story of how ChatGPT was built from the people who made it
Exclusive conversations that take us behind the scenes of a cultural phenomenon.
How Rust went from a side project to the world’s most-loved programming language
For decades, coders wrote critical systems in C and C++. Now they turn to Rust.
Design thinking was supposed to fix the world. Where did it go wrong?
An approach that promised to democratize design may have done the opposite.
Sam Altman invested $180 million into a company trying to delay death
Can anti-aging breakthroughs add 10 healthy years to the human life span? The CEO of OpenAI is paying to find out.
Stay connected
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.