Last week I got a letter in the mail from the Mendoza College of Business at the University of Notre Dame. Apparently, the school had put information about me, including my social-security number (SSN) and demographic information, on the Internet. “We have no evidence to date that this information was used inappropriately,” the school wrote, but I might want to take “prudent … precautions” by periodically checking my credit report with the three major bureaus.
What’s so infuriating about this is that I never had anything to do with the University of Notre Dame.
In 2001, I was thinking about going back to graduate school, so I took the GMAT, LSAT, and GRE exams. I checked off the boxes that said that my information could be forwarded to schools so that they could recruit me. A few schools contacted me, and that was that. Or so I thought. It seems that the Graduate Management Admissions Council didn’t just provide my test scores and demographic information: it also provided my SSN.
But why did the Mendoza College of Business keep that information for six years? And how did it make it available on the Internet?
I called Notre Dame to find out what had happened and was told that a file of GMAT names, scores, SSNs, and other information had been inadvertently left on a computer that was decommissioned. At some later point in time this computer was turned back on and plugged into the Internet, and it made the files available through some kind of file-sharing program. Google picked up the files, indexed them, and added them to its archive. How was this discovered? Somebody did a Google search on his or her own name and found the jackpot of personal information.
The woman I spoke with from Notre Dame said that the school had looked at the log files on the computer, and there were no other signs of access other than by the one person who had accessed his or her files. I’m not sure that this makes sense because she said that there was also no evidence that Google had accessed the files, and clearly Google had. Besides, if the information was cached by Google, bad guys could have downloaded it directly from the cache and avoided leaving traces at Notre Dame.
I called a friend who works in the privacy industry. He said that the GMAT never should have distributed my SSN with this file–there was no reason to do so–and he added that it has since stopped the practice. He also said that universities like Notre Dame are responsible for the majority of the privacy breaches that have been disclosed to date. (That’s true, but the flip side is that more names have been released by businesses because they tend to have bigger databases.)
Where does this leave me? More annoyed than anything else. The real problem isn’t that personal information keeps getting leaked, but that personal information is so valuable. The reason SSNs can be used for identity theft is that banks and other financial institutions think that if you know somebody’s SSN, then you must be that person. This has got to change.