MIT Employees’ Social Security Numbers Found in Public FileBy Tatyana Lugovskaya
Social security numbers and MIT identification numbers of over 11,000 MIT employees were posted in a publicly accessible file for six months.
In mid-March, the MIT Corporation found out that the file was online, said Kathryn A. Willmore, vice president and secretary of the MIT Corporation. The file included information about all non-students employed by MIT as of Sept. 5, 2003, she said.
Administrators said it is unlikely that anyone accessed the file, other than the person who reported it to MIT.
“We know from the beginning of March to mid-March, only one person accessed” the file: the person who reported it, Willmore said. “We don’t keep records beyond a few weeks,” she said, but “we take a little comfort that only one person” accessed the document during the period of time for which records are available.
“I’m one of the people” in the file, said Jeffrey I. Schiller ’79, network manager for Information Services & Technology. “I’m not worried.”
File public, found in Google
“Basically, a programmer was going through an extraction from one of our systems, and accidentally left [the file] in that [public] directory,” Schiller said.
“We do know who put it there,“ said Jerrold M. Grochow, vice president for IS&T. “We have thoroughly investigated and realized it was accidental.” Grochow declined to say whether this person was reprimanded.
Administrators found out about the public file when an alumnus came across it in a Google search for an MIT employee.
The alumnus noticed one result “was a very odd mixture of numbers and letters” and called MIT immediately upon realization of what the file was, Willmore said.
Schiller said his first reaction was “like anybody’s first reaction. We didn’t know how bad it was, [so] initially I was very concerned.”
IS&T immediately took the file down and contacted Google to have them remove their cache of the file, Willmore said.
Schiller said the IS&T staff searched for the file in “all the other search engines we could find,” and the file did not come up in any of these searches.
Five report potential ID fraud
“There was no credit card information in the file,” Grochow said. “The reason we are referring people to credit card bureaus is that if there is any issue of identity theft, this is where it would show up first.”
“We’ve heard from about five people who think they might be victims of identity theft,” Willmore said. She said MIT is working with these people to “get their records cleaned up” and figure out whether they are really victims of identity fraud.
The IS&T staff “should be meticulous in doing their work so that it doesn’t happen again,” said Martha Lugo, a former MIT Media Laboratory staff member. “Nobody wants to be in a situation where their identity gets stolen.”
MIT offers advice, support
All affected MIT employees received letters explaining the situation on March 23, a week after administrators learned of the problem. Employees were told it was unlikely that anyone had viewed the file, but that they should review their personal records.
Willmore said they delayed making an announcement in order to figure out exactly what had happened, how much damage had been done, and what advice and support they could offer.
For example, she said, they arranged a mechanism by which a person who did not qualify for a free credit report could obtain one, with MIT footing the bill.
Willmore said MIT has offered to give any affected employee a new MIT identification number, though there is little an identity thief could do with a person’s MIT ID number.
The department of human resources is currently monitoring the questions that staff have about this issue, both those coming to the department directly and those calling the hotline set up by IS&T, said Laura Avakian, vice president for human resources. “We want to assure that employees get answers,” Avakian said.
MIT reviews policies, procedures
Schiller said it is particularly important to be careful with files left in AFS, Athena’s distributed file system.
IS&T is currently reviewing all public access folders on Athena, Grochow said. “The Athena system has literally tens of thousands of public access folders,” he said. “We are reviewing the folders that are used by the IS&T staff, and if it makes sense to restrict them, we will.”
Grochow said that many faculty, students, and staff have files in public folders that provide course material or other information that they want to have publicly available. Therefore, the decision to restrict folders will have to be made on a case-by-case basis. Creators of any folders can restrict access using Athena commands on their own, he said.
Google cached one percent of data
Schiller said Google only caches and indexes the first 100KB of any given file. Thus, “Google indexed only about 1 percent of the file,” or about 100 names, he said.
However, before the original file was taken down, anyone who accessed the file by searching for one of 100 indexed names would have been able to view the entire file.
“It sounded pretty dramatic when we first learned of it, and it is, in a sense,” Willmore said. “But because Google indexed only one percent of the file, there was a smaller chance of people coming across it.
For more information, visit http://web.mit.edu/infoprotect.
Jennifer Krishnan contributed to the reporting of this story.