Despite our best efforts, machines sometimes get compromised. The culprit isn’t always (or even usually) a highly publicized group in it for the laughter. It could be a curious student, or an overzealous admin, or the Russians. Whoever is behind it, when it happens, it sucks. Especially if sensitive data is involved. So I really feel bad for my colleagues in the Math department at Purdue, who had to deal with this recently. According to the University News Service, over 7000 former students have been notified that an attacker potentially accessed their Social Security Number.
I know only as much about this as has been publicized, so I can’t speak to any specifics. What I can say is that stuff like this kept me up at night in my previous job. For years, SSNs were used to “anonymously” distribute grades to students. They’re nice because they’re a unique identifier and nearly everyone has one. Unfortunately, they’re also kind of important elsewhere and protected by state and federal laws. The upshot is that many faculty had files containing SSNs on their desktop or on removable media or on a file server.
In 2006, if memory serves, we were tasked with scanning every machine owned by the department for SSNs. This involved adapting some existing tools (which were basically just really fancy regular expressions to grep for), doing a room-by-room inventory, and then asking users to scan their machines and sift through the output. After the machine owners ran their own scans and cleaned up offending files, we did it again, this time forcing the scans and having the IT staff look for offensive files. It was a many-month project that was not by any means pleasant.
From the article, it sounds like it was similarly awful after this breach. You can’t assume that a SSN will be formatted 000-00-0000, so you have to look for 9-digit strings, which occur with alarming frequency. In this case, it appears that no one’s number was actually divulged, which simultaneously lends relief and futility to the exercise.