[ISN] J-CARD numbers leaked on Internet

InfoSec News isn at c4i.org
Mon Feb 7 08:31:03 EST 2005


By Katherine Brewer
February 04, 2005

Over 2,100 Hopkins students, mostly juniors and seniors, must trade in
their J-CARDS after the university discovered it had accidentally
posted their names and J-CARDS numbers online this winter.

The files, used in the spring 2003 Student Counsel elections,
contained the names, birthdays and J-CARD numbers of over 4,000

The last four digits of 1,500 of these students' Social Security
numbers were also posted.

Many of the affected students have graduated, but all juniors and
seniors and several graduate students who still have active J-CARDs
were contacted through mail by Susan Boswell, dean of student life, on
Jan. 24.

Although there was no direct link to the leaked J-CARD information, it
was accessible through search engines. A student who entered her name
on http://www.google.com discovered the files and notified the school.

The error was discovered on January 4, but administrators kept it
private until all links to the material could be deleted.

"It's not clear exactly how long they were online," said Dennis
O'Shea, executive director of communications and public affairs for

O'Shea also stressed that this would not happen again, because it was
a transition year in StuCo balloting, and elections no longer involves
entering J-CARD numbers.

There is no evidence that the information was accessed and used
illegally, but the university decided to take precautions and asked
all those effected to trade in their J-CARDs for new one by Feb. 11.

"The file was in a very obscure place. You would have had to gone
looking for them," O'Shea said, "and most people wouldn't know what
they were, even if they did find them."

"Although the university feels strongly that any potential harm has
been averted by the discovery and removal of the files, we nonetheless
think it is advisable to err on the side of caution," Boswell wrote in
an e-mail to affected students.

The J-CARD office has extended its hours to 7 p.m. until Feb. 11 to
help with the exchange, but students who do not exchange their cards
by the scheduled date are subject to cancellation of their cards.

To date, according to O'Shea's office, more than 750 students have
made their J-CARD exchanges, out of the 2,100 juniors and seniors with
active cards.

"We do encourage all students who are affected to exchange," said
O'Shea, "and remind them that they are subject to cancellation if they
do not make the exchange by the deadline."

Although there is very little that can be done with only the J-CARD
number without the possession of the actual card, the university has
notified local businesses that accept J-CARD to be on alert and asked
affected students to keep tabs on their J-CARD accounts.

"It doesn't really bother me much," said James Baird, a senior who has
yet to trade in his card. "I suppose it's safer than doing nothing at
all, but I'm kind of surprised they didn't figure this out a while

Some students expressed little concern about the information leak.

"I don't really care that the information was on the Internet," said
Mike Kong, a senior.

At least one student did express feelings of frustration at the
situation, especially in light of what he considered to be other
general security failures.

"For some reason, I don't have much confidence in the security
measures at this school," said Matt Bassett, a junior. "This is just
another example of a security failure; they can't even keep our
personal information safe on the Internet."

More information about the ISN mailing list