In late June 2007, I discovered approximately 163,000 social security numbers, and contact information for nearly 200,000 Louisianans, in nearly 200 online documents. The affected individuals appear to be mainly former Louisiana high school students born between about 1979 and 1987, as well as roughly 34,000 Louisiana state education employees. I have calculated that the files themselves have a street value of more than $4 million, and almost a billion dollars worth of potentially stolen credit.
The files were posted on a website belonging to the Louisiana State Board of Regents, which appeared to be an online interface for an internal network. The files with sensitive information were among internal documents, usernames, passwords, company e-mail, personnel records, personal documents, family photos, and pornography. While parts of the network were password-protected, the folders containing these 200 files were open to the public, and not password protected. Many of them were indexed by major search engines. While nobody knows exactly how long the files were exposed, WDSU in New Orleans reports that the files may have been online as long as 1-2 years. The Board of Regents has posted an advisory on the subject. They have indicated that
Any student who was enrolled in the 10th grade at a Louisiana public high school and took the EPAS (Educational Planning and Assessment) Plan test between 2001 and 2003, [and] Any Louisiana public college or university faculty or staff member who was employed in either 2000 or 2001 [are at risk].
As of the date of the breach, the Louisiana State Education system used a student’s Social Security Number as their student ID.
The Louisiana State Board of Regents acted quickly to take the website down once they became aware of its existence. They immediately notified the Department of Education and the Louisiana State Attorney General of the breach, and began an internal investigation. They also contacted Google, to request that they clear their search engine caches. By the first week in July, 2007 Google’s cache had begun to clear. On July 6th, I also contacted Google’s Associate General Counsel and Vice President of Engineering, and asked them to completely clear Google’s cache. Google’s caches were clear within several hours after the request.
This breach is so massive that unlike the Arkansas.gov breach, I am unable to directly contact all of the affected individuals. To assist the Board of Regents in notifying people affected by this breach, I am working with the Liberty Coalition to create a free victims’ resource online at www.ssnbreach.org. There, individuals are able to ascertain whether they were affected by this release of personal information, and learn what steps they can take to mitigate their own long-term risk. The website also contains resources from ftc.gov and other reputable organizations and companies. I was also able to negotiate discounts off the services of ID Theft protection on behalf of the victims, if they need it.
How www.ssnbreach.org Works
When a user visits www.ssnbreach.org, they may search for their name, to find out whether they were affected by this breach. Because ssnbreach.org does not contain Social Security Numbers, addresses, phone numbers, or any other sensitive data, users are not able to search by any criteria other than their names. Neither I nor the Liberty Coalition have any interest in becoming stewards of sensitive personal information.
SSNBreach.org does not store any social security numbers, or even complete addresses, etc. Instead, the website gives users a Yes/No report on whether their identity may have been compromised. This “Information Exposure Report” (IXR) also includes links to resources to help victims take protective action. Once an individual reads his IXR, he may choose to permanently hide key details of the report.
In order to help people with similar names to distinguish themselves, ssnbreach.org stores a small piece of distinguishing information such as a partial zip code, the first few digits of an address, or last few digits of a phone number. This is enough information for “John Smith” to be able to identify himself from among the other John Smiths, but is insufficient for a third party to positively identify or locate him, based solely on that information.
The first version of the website will go live tonight by 11:00 Eastern.