Shostack + Friends Blog Archive


University of Cincinnati, 7,000 SSN, Hacker

Cincinnati’s Channel Cincinnati reports that “Hacker Steals Personal Data From UC System:”

UC Vice President of Information Technology, Fred Siff, said the hacker knew how to avoid intruder alerts on the system.

“This was obviously a serious breach,” Siff said. “This is a very sophisticated hack. I hope that goes without question. It wasn’t just somebody fooling around. This was very sophisticated, to be able to figure out how to piece different pieces of information together.”

One would hope that our institutions of higher learning would not consider “[piecing] different pieces of information together” to be “very sophisticated.”

No institutional page about the breach yet, but I did find this bit:

The University of Cincinnati uses Social Security Numbers (SSNs) as identification numbers. It is very helpful if you supply your SSN with your application. It will only be used for administrative purposes*. If you do not wish to disclose your SSN, leave this space blank and an alternative number will be assigned to you. Non-disclosure of your SSN will not affect your application in any way.

However, my young apprentice, once you are firmly in our grasp, your ability to protect yourself will be stripped away for administrative convenience.

Tip of the hat to “vacationing” Ryan Singel.