(U-WIRE) KENT, Ohio — Using a fairly simple computer program, a University of Akron student has accessed student and employee Social Security numbers, e-mail addresses, and first and last names.
The accounting student used the program he wrote himself after he found a glitch in the Kent State University website. He said individuals with a background similar to his could have done the same thing.
University officials are working to correct the problem.
Roger, the student, asked his last name not be used for fear of prosecution. He was using the program and university website to e-mail about his business. He said he sent 37,000 messages to Kent State students and employees after logging in with one of the Social Security numbers he obtained.
Most of the people Roger found information about did not know he had obtained it. But Jenn Clause, a freshman English major, found out just before classes let out for winter break.
As Clause sat in her dorm room, an instant message from an unknown user popped up.
“He instant messaged me, and he said, ‘I’ve been reading your e-mail,'” she said. “I told him I didn’t believe him, and then he told me things no one would know who couldn’t read my e-mail.”
She said he was able to disclose details about her family and her boyfriend. Then came the kicker: her Social Security number.
“That’s when I thought, ‘This guy’s a psycho,’ and I wanted to know how was he able to do this,” Clause said.
She said she called ResNet officials, but they were unresponsive. ResNet, Kent State’s residential network, provides students living in the dorms access to the Internet. ResNet officials were unavailable for comment.
“I contacted some people about two months ago and told them somebody was reading my e-mail,” Clause said. “They didn’t really seem to care. They kind of brushed if off as, ‘You should have changed your password.'”
When a Kent State e-mail address is set up, the password is the first eight digits of the person’s Social Security number. ResNet suggests users change the password immediately.
President Carol Cartwright said she was unaware of the breach in security, but now that she knows about it, something will be done.
“Any organization understands that a system that is as wide-open as the Internet poses some challenges in order to keep your own system secure,” she said. “We do have a staff member in the information services division who works full time on security issues. We do take it seriously.
“We ask people who use our system to do so in a responsible way. If we find someone using it irresponsibly, we will take action.”
Cartwright said the university will make an attempt to find anyone who breaks into the system. The Daily Kent Stater told Cartwright where the glitch in the website lies, and she said officials will begin to correct it Monday.
Social Security information could be even more critical to the Kent State community because of the recent move to the online-only system for report cards. However, that system also requires an additional password to gain access.
Roger, the 26-year-old man who found the glitch, said he was surprised he was able to get so much information about students without much effort. He wrote a computer program using his knowledge of how Social Security numbers are created.
“Can you imagine a site where you punch in random digits and get someone’s personal information?” he asked.
“Someone who knew a little more about it could ping the server all day and get a lot more,” he said. “It was really just fun for me to see if I could do it.”
Kathryn May, whose name was on a list Roger gave the Stater, said she doesn’t think it “is very fun” for her name to be on this list.
“That’s pretty pertinent information,” she said in a phone interview, audibly flustered. “With a Social Security number, you can get into any sort of records. He can see almost all the personal information about me. Let’s not be silly here.”
She called the Kent State police. But campus police said unless something illegal has been done with the information, a report won’t be filed.
Clause said she was surprised this would happen to her through the university’s e-mail.
“It’s not good on the university’s behalf to let this happen,” she said. “I would expect it from AOL mail, but not from the university mail. They need to be careful with all the identity theft that goes on. It’s like a violation of my privacy and everything. It’s my identity.”