Hacked uni's admins hand ID theft prevention reward to data burglars
Bungling Bradley may have botched it
An Illinois university's sysadmins have seemingly handed data burglars a year-long subscription to LifeLock, an identity alert and credit monitoring system, following a data breach at the US institution which left thousands vulnerable to identity theft.
With the best of intentions, Bradley University reacted to being hacked by informing its employees that they, and members of their family, may have had "personally identifiable information, including Social Security Numbers (SSN), compromised as a result of a breach of system data security".
The private institution then attempted to mitigate the fallout from a data breach by offering a free LifeLock subscription to those whose information may have been compromised.
Unfortunately, the university has not developed any security protocols further than users being able to construct their member ID from their surname plus the last 4 digits of their SSN (e.g. MARTIN1234), exactly the type of private details which had just been stolen by the data burglars.
Should the criminals manage to use the identity protection system (intended to detect fraudulent applications) to manage the proceeds of heists, it could net them stalker privileges or even allow full-on identity theft.
LifeLock, intends to protect against identity theft by providing "enrolled" users with alerts whenever their registered details, such as SSNs, are used for credit reports.
After several attempts to contact the data security company, El Reg was finally informed by a LifeLock spokesperson that "we take every measure and every protection to verify our users' identities". We'll update as and when we receive any other comment.
LifeLock was fined $12m in 2010 by the Federal Trade Commission, which forced the company to refund almost 960,000 customers over allegedly false claims that it made.
Bradley University's spokesperson was unable to tell The Register whether the university knew of LifeLock's trouble with the FTC. ®
Sponsored: Global DDoS threat landscape report