I was also glad to see Jamie Lewis blogging about the security breach at George Mason University… The full story is on News.com. Basically,
George Mason University confirmed on Monday that the personal information of more than 30,000 students, faculty and staff had been nabbed by online intruders.
The attackers broke into a server that held details used on campus identity cards, the university said. Joy Hughes, the school's vice president for information technology, said in an internal e-mail sent over the weekend and seen by CNET News.com that “the server contained the names, photos, Social Security numbers and (campus ID) numbers of all members of the Mason community who have identification cards.”
Jamie had told me recently how much he liked the piece in which I worried that the British Identity Card – as proposed in its initial draft – is an information-disaster-waiting-to-happen. His reaction to the George Mason affair is:
As identity systems aggregate information, they also aggregate risk. And the custodians of those stores must take the proper precautions, including risk and threat assessments and the implementation of a reasonable protection posture.
I love the formulation that as identity systems aggregate information, they aggregate risk. I want to put that into the second law since it is really key to what I was trying to express.
However, as much as I love to see Jamie exhuding unbridled optimism – I would be surprised if the custodians had not done risk and threat assessments, or somehow failed to act responsibly to protect the information. So this part rings hollow.
We need to base our approach to these scenarios on the idea that one day, the store will be penetrated. We need then to reduce information in the store to the minimum required. We need to distribute information so breaking into one system gives away as little as possible. And more than anything, we need unidirectional identifiers such that only access to a metasystem allows assembly of cross-aspect information.
For example, there was no need for George Mason's ID system to contain social security numbers. Nor, bizarrely, is there probably any reason for it to contain student identification numbers. It could – I know this sounds primitive – just contain single-purpose identity card numbers. A metadirectory – which itself contained no substantive information – could provide glue to other identification contexts for those who merit it – and on a case by case rather than carte blanche basis. This allows many more controls and balances to be built into the system. (All of this is Law 4)
George Mason had been moving in the right direction.
Last year, George Mason said it would cease to print Social Security numbers on campus ID cards and would instead generate unique “G numbers” for each student and each member of faculty and staff.
So the SSNs were now redundant (ouch! Law 2). But as if to underline my point,
“We felt that the information there was secure,” George Mason spokesman Daniel Walsch said on Monday.
And now, fasten your seat belts for the obvious:
George Mason is not alone among universities in suffering a security breach. Two years ago, online intruders broke into a server containing the credit card numbers of some 57,000 patrons of a Georgia Institute of Technology arts and theater program, while others lifted more than 55,000 Social Security numbers from computers at the University of Texas at Austin. Last year, more than 1 million California residents had their personal information leaked thanks to a pair of incidents at UCLA and the University of California at Berkeley.
Put these all together, go up to the national scale, make the system available on-line, add every piece of identifying information – physical, biometric, educational, employer-related. Then you have a really nice target – I mean TARGET – don't you? Inside job or outside?
And you can probably just “dribble” a lot of information out of the system before anyone is any the wiser if you have the right background and access.
