UT students should consider themselves lucky that Aaron Titus works for the good guys and not the bad. In January, Titus discovered the information of more than 2,000 UT students online, including social security numbers, addresses and tax information, using simple search techniques. He then notified the University, which sent letters to the students it deemed affected by the lapse. But other than these few discrete letters, the state of our private information at UT - wherever it may be - remains largely undiscussed.
Titus is the privacy director for the Liberty Coalition, a non-profit group based in Washington, D.C. that focuses on "transpartisan" policy issues, and his job is to think like an identity thief. He could be a great one, too, if his intent was malicious - during his career, he's found more than 300,000 files with exposed sensitive information on the Internet. Essentially, Titus is a professional Internet watchdog, alerting public institutions, especially universities, when their private information is available.
This most recent incident is UT's third breach in the last year, and each one has followed the same archetype, said Titus. University professors upload private student information to public servers, Google picks it up and it becomes part of the public domain, available for anyone with the right techniques to see.
Titus is performing a service that UT should be doing itself to ensure that our information is permanently classified. As a rule, "colleges are very good at protecting current student information, but they're not very good at protecting old student data," Titus said. "They could very easily scan their internal systems on an ongoing basis for this information, so when a breach like this does occur, they can discover it, so it doesn't sit open to the public for five years."
Brian Roberts, UT's Vice President for Information Technology, hesitates to call the January incident and the two that preceded it "breaches." Rather, student information was "put up there [on the Internet] and forgotten about," he said. This euphemism does not offer us any comfort.
No one here is acting malevolently - Titus said that he has not encountered a single university breach that has been on purpose - but the manner in which UT has handled these breaches is evasive and potentially dangerous to students.
UT needs to train its faculty and staff comprehensively so students are not put at risk for identity theft. Roberts said that the January incident came "at the tail end of a long and concerted effort" to educate faculty and staff on how to protect private information, but apparently, this education is not working.
The University should also take responsibility for monitoring its own servers instead of letting Titus do the dirty work for them (and then trying to keep his findings quiet from students). With UT's pocked Internet security history, it wouldn't hurt to have someone like him on board here. Too bad he's already working for the good guys.
UT students can visit Ssnbreach.org to search if their personal information has been revealed on the Internet.
Be the first to comment on this article!