UVa Accidentally Releases SSNs

A UVa TA accidentally sent a spreadsheet with 62 social security numbers to an entire class last week, and the provost is now telling faculty to erase any SSNs from their computers, Aaron Kessler reports for the Progress.

UVa has a terrible, terrible system by which they track students and staff — they use social security numbers as unique identifiers. So SSNs appear on all sorts of paperwork and grading information and student records, none of which are treated with anything approaching the level of security necessary for one’s SSN. Most schools long ago phased out that practice. As a Virginia Tech student, I was assigned a random nine digit number, because the school recognized that they had nothing to do with the U.S. Social Security Administration. In order to get a UVa computing ID for my job (I work for Virginia Quarterly Review) I had to give ITC my SSN, to my horror. But I also want to keep my job, so I forked it over.

The university says they’re working on phasing this out, but it’ll take until 2010. My advice to students? Lie. Don’t worry, Jefferson would have done the same.

8 thoughts on “UVa Accidentally Releases SSNs”

  1. I worked for a university in DC for a few years. If any student requested a unique ID number and did not want to disclose SSN, we were required to provide the student with one. I don’t know if this was university policy or something else.

    When the university switched to a new data management system, all students were given non-SSN ID numbers. Only financial aid had SSN data after that point. I’m pretty sure only employers/HR had SSN data for employees, but we were all given ID numbers, too.

  2. There are certainly a lot of TAs with a lot of access to a lot of social security numbers. It’s actually quite scary.

    What’s worse, is that the SSNs show up, or used to show up, in a lot of the web-based grade submission forms. So an unwitting TA may have dozens or hundreds of SSNs cached on their hard drive somewhere.

    As a mutli-time TA, I have not knowingly received the email about deleting information.

    Moreover, I also noticed in the article a problem where some laptops bound for surplus auction were stolen, and that there may have been sensitive data on those despite surplus rules of removing hard drives before the computers leave the owner.

  3. [QUOTE]My advice to students? Lie.[/QUOTE]Unless they’re applying for financial aid. I’m not on the financial side, but I’ve been told that because government money is invovled, SSN is needed to get aid.

  4. I am currently an instructor and I still see students SSNs in our web-based toolkit (UVA is quoted in the article above as having removed that feature from the system already, but as of last week they hadn’t).

    When I first came to UVA as a grad student in 2001, I asked for a non-SSN ID, but was told that since I was also an employee I could not receive an alternate ID (or else the payroll wouldn’t work properly). So like Waldo, though distraught, I preferred to get paid than keep complaining.

    Even funnier (or scarier / stupider) – when I was an undergrad, we ordered food for delivery from outside vendors by giving them our SSN over the telephone. The school advertised it as one of the many conveniences of the meal plan. My freshman roommate and I shared numbers so either of us could order pizza on either account depending on whose turn it was. Lots of people knew lots of other people’s SSNs back then.

    What a bogus system. Then and now.

  5. When I took a class through ITC, they used to require us to put our UNIX name (the one you use for email) AND your social security number. I realized then that my SSN was everywhere but I thought why make it easy. So I just refused doing it.

    The last time I took a class, I think they removed it.

    Right now, for timekeeping purposes, we do not have access to SSN but all employees are now assigned a random number through the infamous Oracle system. (Don’t get me started about that or the new purchasing system. I can’t figure if I can order anything or how and I have to take a 2 hour online class. I’m told that at the end of the online class, I just have to say “yes, I agree to these policies.”)

    One thing that’s a problem is that everyone uses SSN for id purposes. Your hospital chart number at UVA is tied to your SSN (so they can find your chart) but it’s also visible where maybe it shouldn’t be. You call Citibank — give them the last 4 digits of your Social — same with Adelphia (oops, now Comcast — is the future today yet?).

  6. UVa has promised that a phase-out of this system for years, and has been saying it’s 3-5 years off since about 2000. Students overwhelmingly passed a referendum in 2005 asking the administration to change its methods, but that hasn’t happened yet.

    This is not even the worst recent indiscretion. The theft of University hardware in the spring left thousands potentially vulnerable; last month the university accidentally sent several hundred students the wrong SNNs. See the link: http://www.cavalierdaily.com/CVArticle.asp?ID=28435&pid=1507

    About 14 months ago, the University left thousands of SSNs in an online location where they were accessible to identity thieves:

    So this by no means is something that people are just noticing here at UVa.

  7. As Redhead said, employees do have an individual personnel numbers in Oracle, so they aren’t tracked by social security number. But it is insane how much is still tied to social security numbers there. It’s even more insane that they have a million different “systems” to track students vs. staff vs. whatever.

Comments are closed.