Some of you may have already seen this story floating around. As someone who went to a school that used the SSN as a student ID, I’m totally unsurprised by this. Something that’s a bit baffling is why you’d go to the effort to break into computers to obtain this information, though.
Maybe it was only the case at my school, but teachers often passed their roll sheet around the classroom for students to indicate they were present (this happened mostly the first week while teachers were trying to figure out what students weren’t showing up so they could be dropped). In most cases, the teachers didn’t have the good sense to black out the SSN on the roll sheet, giving access to name and SSN of every student enrolled in the class. All you had to do was go to numerous classrooms on the first day, wait for the roll sheet to be passed around and get yourself some names and SSN’s.
Combine that with the fact that every student had a 4-digit PIN to access every system (the SSN was the user ID) and you had a system very open to exploitation (it doesn’t take very long to brute force attempt 10,000 PINs when you can write code to do it for you). It would be a pleasant and refreshing change to see universities set a good example by showing students how best to protect vital data.