This is the second in a three-part series on identity theft.
University officials say electronic information about students, faculty and staff is in safe hands and is protected from possible identity theft.
In order to better protect student’s information, the University transitioned to PeopleSoft 8.9 over the past year to avoid using students’ Social Security numbers, Kymberly Sherwood, associate director of Student Financial Aid, said.
"With our move to PeopleSoft, we now use PeopleSoft ID’s – that’s really how the University identifies students now," she said.
Social Security numbers have been completely eliminated in the Scholarships and Financial Aid Department, Sherwood said. Social Security numbers are usually retrieved from a student’s Free Application for Federal Student Aid form, which is from the U.S. Department of Education. From there, the information is sent directly to UH’s secure servers.
Steve Green, assistant vice president of Information Technology Security, said one of the main advantages of utilizing an outside software company such as PeopleSoft 8.9 is the added security. Because of the sophisticated criminal programs and tactics employed by hackers, it’s best to leave it to technology experts, he said.
"You don’t have to rely on UH personnel for making the right software updates," he said.
Student’s private information is stored in servers in a secure building near campus, to which both physical and electronic access are strictly limited, Green said. To add additional protection from hackers, the information is divided into pieces and stored in different locations within the servers.
"Even if they got access to the machine, it would be nearly impossible to read," he said.
University access to personal information, especially sensitive information like Social Security numbers, is limited to certain UH personnel. The University only allows necessary personnel to access this type of information, and they are continually reviewed to ensure security, Green said.
Green said the University has never had security problems storing electronic student information. Although he can’t speak for other systems UH doesn’t control, such as the one for purchasing athletics tickets.
One department did have a pilot system hacked a few years ago, he said, though he declined to identify the department, and said it didn’t affect student information.
Overall, he said, the University is very secure electronically.
"I think we got the institutional piece pretty solid," he said. "I worry about the end-user side."
Beware of bots
If there’s any cause for worry, it’s often an individual’s own computer use that leads to electronic identity theft, UH administrators said.
UH monitors everyone’s network activity through raw data streams, not actually viewing what is on screen, Green said. Also, the University does have programs monitoring streams of data for questionable activity that could indicate a problem, he said.
In such an event, Green’s department investigates, and, nearly all of the time, the problem is a "bot," or a program hidden in the computer that allows an outside party to access and control it. The victims of such software, called "malware," usually have no idea it is on their computers, he said.
"Most people say the applications are running slow, and they find out their computer is being used to distribute porn or files or songs," he said.
Many of these bots get on a computer through spam messages and ads, he said, and are tough to get rid of. They can serve many purposes, including retrieving personal information stored on a computer; account numbers, passwords, Social Security numbers, names and birthdates.
"Once a bot’s on your machine, they own you," he said. "The only way you can get rid of it is to wipe out your machine and start over."
Green said one of the biggest sources of identity theft is through stolen laptops containing un-protected personal information.
In order to protect yourself from electronic identity theft, Green recommends encrypting files and hard disks. In addition, people should follow the posted security instructions when using online services such as Google Desktop, Kazaa or Bit Torrent, not saving personal information on a computer, he said. Everyone should also be especially wary of "phishing" scams that pretend to be reputable institutions seeking personal information, Green said.
With a new computer, he said, security updates should be made from a trusted CD or before connecting to the Internet for the first time. If this software isn’t loaded, the machine could be hacked in less than three minutes.
He said that the severity of having personal information stolen on a laptop compares to having a purse with a driver’s license and credit cards stolen.
"People just don’t realize – there’s stuff out there floating on the Internet," he said.