UT case shows risk of using Social Security for ID Information of 55,000 people stolen in database hacking

By Joshua Benton
Staff Writer

Page 1A

As long as universities continue to use Social Security numbers to identify students, there will be crimes like last week’s computer hacking at the University of Texas, experts say.

“I am 100 percent opposed to any college using Social Security numbers that way,” said Jay Foley, director of consumer and victim services at the Identity Theft Resource Center, a San Diego-based nonprofit group. “All it can do is damage.”

Between Feb. 26 and Sunday, someone hacked repeatedly into a UT computer network, breaching security systems and stealing the Social Security numbers of more than 55,000 students, faculty and alumni.

Law enforcement officials said there is no evidence that the stolen data have been used inappropriately. As of Thursday afternoon, no arrests had been made.

The hacker or hackers apparently used a computer program to query a UT database with 3 million possible Social Security numbers. If one of the numbers matched an individual in the database, the hacker was able to access other personal data.

Since 1973, all Social Security numbers issued in Texas have begun with three digits between 449 and 467, which may have made the hacker’s job easier. The compromised Social Security numbers all began with the numbers 449 to 452, UT officials said.

UT officials said they did not announce the data exposure immediately because they thought doing so might make capturing the hackers more difficult.

“We believed because the origin of this attack was limited and appeared to be local, we might be able to recapture the data without it being disseminated or lost,” said Dan Updegrove, UT’s vice president for information technology.

Much of the personal data the hackers obtained – names, phone numbers, addresses – can be found legally through other sources. But when combined with Social Security numbers, the information can make identity theft possible.

“It looks like they found a soft point in the system,” Mr. Foley said. “From the way it was done, it appears there was planning and preparation involved. But this wouldn’t be that difficult to do.”

Mr. Foley said this was one of the largest data thefts involving a university. Other government agencies have faced even greater losses, such as the 260,000 Social Security numbers stolen from a California state employee database last year.

Universities’ use of Social Security numbers gained national notice last summer, when officials at Yale University accused Princeton officials of improperly accessing student admissions data on a Yale server. Princeton officials were able to use the Social Security numbers of high school seniors to find out if Yale had offered them admission.

Unique identifier

Because it is a unique identifier, many colleges and universities use a Social Security number as a student’s college ID number. A 2002 study by the American Association of Collegiate Registrars and Admissions Officers found that 50 percent of universities surveyed use students’ Social Security numbers as their primary student IDs.

Many universities, including UT, are trying to phase out the use of Social Security numbers of most student documents. Texas A&M has a plan in place, for example, but says it will cost more than $1 million and take several years to accomplish.

“The Social Security number was never intended for this,” said Nede Mansour, a spokeswoman for the Social Security Administration. “We try to discourage this sort of use, but we can’t do anything about it.”

In any event, abandoning Social Security numbers entirely will likely be impossible, experts say. Even if a university adopts an internal ID system for students, it will always need to provide some way of identifying individuals to other institutions – for example, if it has to send a transcript to another university.

‘Not the best way’

“It’s not the best way to handle it,” said Barmak Nassirian, associate executive director of the American Association of Collegiate Registrars and Admissions Officers. “If your name is Barmak Nassirian, there probably won’t be many of you. But if your name is James Wilson, you need something unique to identify you.”

He said universities are also required to gather Social Security numbers by federal programs such as the Hope Scholarship, which provides tax credits for college tuition.

Rep. Suzanna Gratia Hupp, R-Lampasas, has introduced a bill that would ban the use of Social Security numbers as student IDs by 2005.

“I can’t say that my bill would have stopped what happened, but it could help prevent future identity theft,” Ms. Hupp said. Her bill will get its first committee hearing on Monday.