Last week I got a letter in the mail from the Mendoza College of Business at the University of Notre Dame. Apparently, the school had put information about me, including my social-security number (SSN) and demographic information, on the Internet. “We have no evidence to date that this information was used inappropriately,” the school wrote, but I might want to take “prudent … precautions” by periodically checking my credit report with the three major bureaus.
What’s so infuriating about this is that I never had anything to do with the University of Notre Dame.
In 2001, I was thinking about going back to graduate school, so I took the GMAT, LSAT, and GRE exams. I checked off the boxes that said that my information could be forwarded to schools so that they could recruit me. A few schools contacted me, and that was that. Or so I thought. It seems that the Graduate Management Admissions Council didn’t just provide my test scores and demographic information: it also provided my SSN.
But why did the Mendoza College of Business keep that information for six years? And how did it make it available on the Internet?
I called Notre Dame to find out what had happened and was told that a file of GMAT names, scores, SSNs, and other information had been inadvertently left on a computer that was decommissioned. At some later point in time this computer was turned back on and plugged into the Internet, and it made the files available through some kind of file-sharing program. Google picked up the files, indexed them, and added them to its archive. How was this discovered? Somebody did a Google search on his or her own name and found the jackpot of personal information.
The woman I spoke with from Notre Dame said that the school had looked at the log files on the computer, and there were no other signs of access other than by the one person who had accessed his or her files. I’m not sure that this makes sense because she said that there was also no evidence that Google had accessed the files, and clearly Google had. Besides, if the information was cached by Google, bad guys could have downloaded it directly from the cache and avoided leaving traces at Notre Dame.
I called a friend who works in the privacy industry. He said that the GMAT never should have distributed my SSN with this file–there was no reason to do so–and he added that it has since stopped the practice. He also said that universities like Notre Dame are responsible for the majority of the privacy breaches that have been disclosed to date. (That’s true, but the flip side is that more names have been released by businesses because they tend to have bigger databases.)
Where does this leave me? More annoyed than anything else. The real problem isn’t that personal information keeps getting leaked, but that personal information is so valuable. The reason SSNs can be used for identity theft is that banks and other financial institutions think that if you know somebody’s SSN, then you must be that person. This has got to change.
It will soon be easy for self-driving cars to hide in plain sight. We shouldn’t let them.
If they ever hit our roads for real, other drivers need to know exactly what they are.
Maximize business value with data-driven strategies
Every organization is now collecting data, but few are truly data driven. Here are five ways data can transform your business.
Cryptocurrency fuels new business opportunities
As adoption of digital assets accelerates, companies are investing in innovative products and services.
Yann LeCun has a bold new vision for the future of AI
One of the godfathers of deep learning pulls together old ideas to sketch out a fresh path for AI, but raises as many questions as he answers.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.