Shostack + Friends Blog Archive

 

Jackson (Mich) Community College, 8,000 SSNs, Bad Policy

The Detroit Free Press reports that “Hacker may have stolen Social Security numbers from Jackson Community College:” [link to http://www.freep.com/news/statewire/sw116169_20050523.htm no longer works]

A hacker who broke into the computer system at Jackson Community College may have accessed as many as 8,000 Social Security numbers, the college said Monday.

The hacker broke into the system Wednesday. College officials are still investigating but say the hacker may have downloaded employee and student passwords. The college has long used Social Security numbers as default passwords for setting up computer accounts.

Its not clear to me if the passwords were encrypted, if they were storing unencrypted passwords for some reason, or if this was a list they kept handy to seed the database. Its also not clear that it matters to anyone affected.

Another short note: Wednesday break in, to Monday announcement. Thats actually impressive speed. The norms keep getting worse for businesses that rely on social security numbers.

(Via Wikid blog, “How about ‘stop using social security numbers as passwords’” (But Bullwinkle, that trick never works!))