2nd of the 2 Ones, and the 59th Complaint in Wysz's Thoughts v.Awesome

Could also have been a quote, but whatever.

Here at Hopkins, like every school, we have ID cards that let us do things like eat in the cafeteria, and buy things at certain on-campus and close-to-campus locations. Ours is called a J-Card.

From a letter dated January 24th, 2005, which yes, I know is Macintosh's 21st birthday:

It recently came to the attention of the university that two files containing the names and personal information of Homewood undergraduate students enrolled in the spring of 2003 had been maintained on an individual's server that, though obscure, was accessible through the Internet.

One file contained the names, birthdays, and J-CARD numbers of some 4,000 students who were eligible to vote in a Student Council election that spring. The other contained the names, partial J-CARD numbers, and last four digits of Social Security numbers for 1,500 of these same students.

As soon as the existence of these files was reported, the university moved swiftly to have them deleted from the server. The university also proceeded to have all references to the files removed from any known Internet search engine cache files and indexes.

There were no links to the files elsewhere on the Internet. There is absolutely no evidence that anyone ever used these files for any inappropriate or illegal purpose. There have been no reports of any unauthorized activity or of any compromise to any J-CARD account as a result of this information being potentially available...

...the swiping of a physical J-CARD is necessary for every J-CASH transaction. Moreover, the physical card has additional encryption that is not revealed by the card's number. Thus, there is very little reason to believe that possession of a J-CARD number alone would permit fraudulent purchases or other illegal or inappropriate activity.

4,000 = all undergrads.

Social Security numbers are not supposed to be used for identification, and Hopkins has its own official policy against them being used for this. However, Social Security numbers are used for ID all the time at Hopkins (and outside of Hopkins), and many web services at JHU use the last 4 digits as authentication. Unfortunately, replacing a J-CARD will do nothing to help any possible problems caused by the leak of partial Social Security numbers.

If there were no links to the files, how did the search engines find them? I know this can be done (referral URL's, perhaps a search service on the server that held the file, etc.) but still, I am suspicious.

I read an unconfirmed report that the magstripe actually contains no other data than the number printed on the card. Hmm.

Posted: Friday - January 28, 2005 at 02:25 PM