Rant: Universities don't really care about keeping your data private

Exterous

Super Moderator
Jun 20, 2006
19,963
2,921
126
There will be controls around the main PCI\FERPA\CUI repositories but after the data is pulled out from there they don't care. Had a meeting earlier today with a University that has a site where anyone who ever went there or worked there ever could save\copy\delete information that anyone else put there. This location was also tightly integrated with a certain office productivity software making it incredibly easy to find and accidentally use. For weeks I've been telling them to lock it down and how to do it - but it keeps getting passed from dept to dept.

"Its not our job". Yeah ok but this will take 5 min - I just need someone with access to do it.
"Is there really important data there?" Almost certainly given the tons recent docs and the titles of at least a few of them

The new group I talked to today said "Maybe its just fine the way it is." Really? So we know its being misused but its ok that anyone can just save anything they want to that area with no controls to prevent accidental or malicious intent? "Yes. We do it with this other major productivity software."

Wait...what? Well do you at least proactively tell them what option is appropriate for what type of data so they are aware of the restrictions?

"No. We have this one web page buried somewhere that they have to seek out on their own that says what product is appropriate for what data storage. And if a professor or staff member posts FERPA or privileged information on it anyway thats on them."

Are there any disclaimers on the products themselves?"

"No."

You don't monitor or restrict data or access?

"Not our job."

So what is to stop someone from accidentally putting privileged information on there?

"Our data guide"

The one they may or may not know exists?

"Yes."

In the last couple of months I've seen some pretty bad things. SSNs, TINs, Medicare #s, bank account #s etc where they shouldn't be and with entirely inappropriate security measures. No one really seems to care though. The attitude is more along the lines of "Oh those rascally professors - always putting SSNs where they shouldn't." or "Our workflows kept erroring so we opened anonymous access." WHAT??!! They are entrusting security to the same people that think backing up their tax returns to a research storage share open to their students is fine (Not that many staff are much better about it)
 

IronWing

No Lifer
Jul 20, 2001
65,476
20,604
136
Say, I've got some info I'd like to backup; can I just store this info.inf file on your server?
 

GagHalfrunt

Lifer
Apr 19, 2001
25,297
1,997
126
Universities don't really care about educating students or preparing them for the real world. I think that's a bigger problem.
 
  • Like
Reactions: Linflas

zinfamous

No Lifer
Jul 12, 2006
108,820
26,179
146
When I started at NCSU, c. 1997, our student ID numbers were still our SSNs. seriously. And no one really complained. wtf. Obviously, student Id numbers are freely used everywhere and tend to be included in all sorts of forms that are viewed by all levels of people. I was a fricking undergrad workstudy for many of those years, filing papers and organizing teacher evaluations at the end of semesters, and this gave access to entire department's worth of SSN's.

I do believe that has changed long ago, but it's staggering to consider that it was still in practice as late as ~2000, let alone ever.
 

Red Squirrel

No Lifer
May 24, 2003
63,990
10,404
126
No company cares about your private information. There's no regulations on that stuff, given the government themselves are in the same business.

Ex: Equifax and all the other companies that have had info leaks.

If they cared, they'd have better security and not outsource their IT to the lowest bidder in India.

The whole system is screwed up though, a SSN should not be the end all of your ID. It's just a simple number that everyone has. There needs to be better security to not make it so easy to be a victim of ID theft.
 

ponyo

Lifer
Feb 14, 2002
19,688
2,802
126
When I started at NCSU, c. 1997, our student ID numbers were still our SSNs. seriously. And no one really complained. wtf. Obviously, student Id numbers are freely used everywhere and tend to be included in all sorts of forms that are viewed by all levels of people. I was a fricking undergrad workstudy for many of those years, filing papers and organizing teacher evaluations at the end of semesters, and this gave access to entire department's worth of SSN's.

I do believe that has changed long ago, but it's staggering to consider that it was still in practice as late as ~2000, let alone ever.
When I first got my driver license, the driver license number was my social security number.
 

Pulsar

Diamond Member
Mar 3, 2003
5,225
306
126
There will be controls around the main PCI\FERPA\CUI repositories but after the data is pulled out from there they don't care. Had a meeting earlier today with a University that has a site where anyone who ever went there or worked there ever could save\copy\delete information that anyone else put there. This location was also tightly integrated with a certain office productivity software making it incredibly easy to find and accidentally use. For weeks I've been telling them to lock it down and how to do it - but it keeps getting passed from dept to dept.

"Its not our job". Yeah ok but this will take 5 min - I just need someone with access to do it.
"Is there really important data there?" Almost certainly given the tons recent docs and the titles of at least a few of them

The new group I talked to today said "Maybe its just fine the way it is." Really? So we know its being misused but its ok that anyone can just save anything they want to that area with no controls to prevent accidental or malicious intent? "Yes. We do it with this other major productivity software."

Wait...what? Well do you at least proactively tell them what option is appropriate for what type of data so they are aware of the restrictions?

"No. We have this one web page buried somewhere that they have to seek out on their own that says what product is appropriate for what data storage. And if a professor or staff member posts FERPA or privileged information on it anyway thats on them."

Are there any disclaimers on the products themselves?"

"No."

You don't monitor or restrict data or access?

"Not our job."

So what is to stop someone from accidentally putting privileged information on there?

"Our data guide"

The one they may or may not know exists?

"Yes."

In the last couple of months I've seen some pretty bad things. SSNs, TINs, Medicare #s, bank account #s etc where they shouldn't be and with entirely inappropriate security measures. No one really seems to care though. The attitude is more along the lines of "Oh those rascally professors - always putting SSNs where they shouldn't." or "Our workflows kept erroring so we opened anonymous access." WHAT??!! They are entrusting security to the same people that think backing up their tax returns to a research storage share open to their students is fine (Not that many staff are much better about it)
It's not just a University thing. A couple years ago a Big 3 automaker was inproving their intranet and invited google to create an intranet - only google so the employees could find things more easily. It was shut off in 3 days because of the amount of company secret-level documentation that people had posted on the intranet that the google search was digging up while it was crawling. 2 years later they turned it back on, and you can still do searches that turn up product planning documents that go out 15 years.......
 

IronWing

No Lifer
Jul 20, 2001
65,476
20,604
136
When I first got my driver license, the driver license number was my social security number.
Yep, and we used to have our DL numbers and SS numbers printed on our checks to save time at the grocery store.
 

Exterous

Super Moderator
Jun 20, 2006
19,963
2,921
126
No company cares about your private information.
It's not just a University thing.
It's much worse than I ever saw in the private sector. At least there there was a more obvious financial risk given trade secrets and what not which lead to at least some accountability. I have yet to see anything even remotely close to that at a University
 

sdifox

No Lifer
Sep 30, 2005
89,968
12,025
126
University is about expanding your horizon and sharing ideas. Thus all data must be shared. Now hand over you Social Security card, Birth Certificate, Credit Cards and Driver's Licence.
 

[DHT]Osiris

Lifer
Dec 15, 2015
11,413
8,788
146
There will be controls around the main PCI\FERPA\CUI repositories but after the data is pulled out from there they don't care. Had a meeting earlier today with a University that has a site where anyone who ever went there or worked there ever could save\copy\delete information that anyone else put there. This location was also tightly integrated with a certain office productivity software making it incredibly easy to find and accidentally use. For weeks I've been telling them to lock it down and how to do it - but it keeps getting passed from dept to dept.

"Its not our job". Yeah ok but this will take 5 min - I just need someone with access to do it.
"Is there really important data there?" Almost certainly given the tons recent docs and the titles of at least a few of them

The new group I talked to today said "Maybe its just fine the way it is." Really? So we know its being misused but its ok that anyone can just save anything they want to that area with no controls to prevent accidental or malicious intent? "Yes. We do it with this other major productivity software."

Wait...what? Well do you at least proactively tell them what option is appropriate for what type of data so they are aware of the restrictions?

"No. We have this one web page buried somewhere that they have to seek out on their own that says what product is appropriate for what data storage. And if a professor or staff member posts FERPA or privileged information on it anyway thats on them."

Are there any disclaimers on the products themselves?"

"No."

You don't monitor or restrict data or access?

"Not our job."

So what is to stop someone from accidentally putting privileged information on there?

"Our data guide"

The one they may or may not know exists?

"Yes."

In the last couple of months I've seen some pretty bad things. SSNs, TINs, Medicare #s, bank account #s etc where they shouldn't be and with entirely inappropriate security measures. No one really seems to care though. The attitude is more along the lines of "Oh those rascally professors - always putting SSNs where they shouldn't." or "Our workflows kept erroring so we opened anonymous access." WHAT??!! They are entrusting security to the same people that think backing up their tax returns to a research storage share open to their students is fine (Not that many staff are much better about it)
Nobody cares, but yes, you are right. What matters, seriously, is pushing responsibility to someone else.

My job (university) recently faced a crossroads between a) improving security and b) pushing responsibility to another agency for security violations, they chose b. Security is a distant secondary concern to being responsible when security fails.
 

TXHokie

Platinum Member
Nov 16, 1999
2,549
166
106
Everybody is hacked, some just don't know it yet.
The criminals already have all your information, they just haven't gotten around to using it yet.
 

clamum

Lifer
Feb 13, 2003
26,243
394
126
I do believe that has changed long ago, but it's staggering to consider that it was still in practice as late as ~2000, let alone ever.
I went to Mich Tech from 2003 - 2006 and at that time student IDs were SSNs still.

As for the OP's issue, I think a significant part of it is due to people not taking responsibility for things. There's a big "that ain't my job" attitude that I think pervades a lot of places and I see it often at my work. It sounds like someone needs to grow some f'ing balls and take responsibility so it can get fixed. I mean, assuming they understand what's wrong and how it can be exploited.
 

NesuD

Diamond Member
Oct 9, 1999
4,999
106
106
Well after hearing some of the stories that my son tells, He is a sysadmin at a large university, trying to get professors to follow rules not of their own making is akin to cat herding so I can see why they may not be all that diligent about keeping said professors out of the doghouse.
 

ImpulsE69

Lifer
Jan 8, 2010
14,946
1,077
126
<Insert object here> only care about security when they are losing money. Most of them want to sell your information anyway.
 

Scarpozzi

Lifer
Jun 13, 2000
26,297
1,684
126
That's nothing. At my former job we discovered a doctor's office affiliate that had HIPPA data on our domain years ago. Anyone with a domain username/password could login and pull down mySQL dumps (backups) that had all kinds of stuff in it. It's what happens when you hire idiots to do important jobs and assume since it's Windows Server administration they don't have to train them. (also why I prefer Linux....at least it's perceived that you have to have half a brain to work around the shell) Those people were pathetic....yet made more money than me for screwing up.
 

Red Squirrel

No Lifer
May 24, 2003
63,990
10,404
126
Hospital environments are freaking scary. Nurses and doctors are actually some of the dumbest people when it comes to computers so they want everything to be "Easy and user friendly". That usually means skipping lot of security related measures. One big thing we were trying to push for when I worked at our hospital is to get rid of generic accounts, but they would not budge. "it's too complicated, we just want to login and then anyone can use the computer!". These generic logins could be used via internet facing Citrix to login to the EHR system, which also had a generic account.

Technically if I wanted to right now I could go check out people's health records, assuming they never removed those accounts. (I would never do something like that, not even just to try it)
 

ASK THE COMMUNITY