University confirmed on Monday that the personal information of more
than 30,000 students, faculty and staff had been nabbed by online
attackers broke into a server that held details used on campus identity
cards, the university said. Joy Hughes, the school's vice president for
information technology, said in an internal e-mail sent over the
weekend and seen by CNET News.com that “the server contained the names, photos, Social Security numbers and (campus ID) numbers of all members of the Mason community who have identification cards.”
Jamie had told me recently how much he liked the piece in which I
worried that the British Identity Card – as proposed in its initial
draft – is an information-disaster-waiting-to-happen. His reaction to the George Mason affair is:
As identity systems aggregate information, they also aggregate risk.
And the custodians of those stores must take the proper precautions,
including risk and threat assessments and the implementation of a
reasonable protection posture.
I love the formulation that as identity systems aggregate
information, they aggregate risk. I want to put that into the second
law since it is really key to what I was trying to express.
However, as much as I love to see Jamie exhuding unbridled
optimism – I would be surprised if the custodians had not done risk and
threat assessments, or somehow failed to act responsibly to protect the
information. So this part rings hollow.
We need to base our approach to these scenarios on the idea that one day, the store will be penetrated.
We need then to reduce information in the store to the minimum
required. We need to distribute information so breaking into one system
gives away as little as possible. And more than anything, we need
unidirectional identifiers such that only access to a metasystem allows
assembly of cross-aspect information.
For example, there was no need for George Mason's ID
system to contain social security numbers. Nor, bizarrely, is there
probably any reason for it to contain student identification numbers.
It could – I know this sounds primitive – just contain single-purpose identity card numbers.
A metadirectory – which itself contained no substantive information –
could provide glue to other identification contexts for those who merit
it – and on a case by case rather than carte blanche basis. This allows
many more controls and balances to be built into the system. (All of
this is Law 4)
George Mason had been moving in the right direction.
So the SSNs were now redundant (ouch! Law 2). But as if to underline my point,
“We felt that the information there was secure,” George Mason spokesman Daniel Walsch said on Monday.
And now, fasten your seat belts for the obvious:
George Mason is not alone among universities in suffering a security breach. Two years ago, online intruders broke into
a server containing the credit card numbers of some 57,000 patrons of a
Georgia Institute of Technology arts and theater program, while others lifted
more than 55,000 Social Security numbers from computers at the
University of Texas at Austin. Last year, more than 1 million
California residents had their personal information leaked thanks to a
pair of incidents at UCLA and the University of California at Berkeley .
Put these all together, go up to the national scale, make
the system available on-line, add every piece of identifying
information – physical, biometric, educational, employer-related. Then
you have a really nice target – I mean TARGET – don't you? Inside job or outside?
And you can probably just “dribble” a lot of information
out of the system before anyone is any the wiser if you have the right
background and access [Kim Cameron's Identity Weblog]