Had their social security numbers stolen

207 students at the Faculty of Theology (TF) are in danger of identity theft after a mistake led to their social security numbers being available on the internet. This is the latest in a long list of slip-ups related to sensitive information at the University of Oslo (UiO), and this time the University Center for Information Technology (USIT) can confirm that the personal data has been downloaded to a server in Asia.

Lifelong risk of identity theft

Torbjørn Askevold is one of the students who have been told that their social security number has been available online. He was informed about the leak during Easter.

– I received an email from USIT in which they advised me to block the possibility of being subject to credit ratings. Beyond this, I was given no explanation or apology, and had to contact them myself in order to find out what had really happened, Askevold says.

The mistake means a lot of extra work for Askevold and others who have been affected.

– By blocking credit ratings I am able to protect myself against fraud, but if I want to get a new credit card or phone subscription, I have to ring all the credit companies to lift the block, and then I have to put it back in place again afterwards. This is a lot of work for something that is not my fault, Askevold says.

Information director at the Data Inspectorate, Ove Skåra, says that social security numbers can be used to obtain bank details and order credit cards.

– In a worst case scenario, it can be used to take over someone else’s identity, he says.

As the social security numbers have been downloaded, there is in principle no time limit as to how long the students must block the possibility of credit ratings.

– Social security numbers are something that can be abused after a long time has lapsed, and with the possible consequences of this being so serious, it is dangerous to play down the importance of this kind of leak, Skåra says.

UiO may face fines

The Data Inspectorate has criticized UiO on previous occasions for the sloppy handling of social security numbers. Skåra says that UiO is a negative exception among Norwegian universities and university colleges.

– There have now been a number of cases like this from UiO, and if the repetitions and the degree of severity are adequate, we will be able to issue fines. It is serious than information has been leaked yet again, but we will have to examine this case more thoroughly before we can take a stance on possible sanctions, Skåra states.

– Social security numbers being exposed to people who are not meant to see them is always serious, Skåra says.

Askevold thinks that it is weak that UiO has yet again leaked social security numbers.

– I find it disappointing that an institution like UiO cannot protect personal data. The university should be leading the way as a good example in cases relating to data protection, both within the field of research and in practice in their own computer system.

Admit responsibility

Faculty director at TF, Dag Myhre-Nielsen, confirms that the social security numbers were accidentally made available in connection with changes in the computer system. The information that has been leaked was taken from the students’ locker application forms. Myhre-Nielsen accepts that the university is at fault and apologizes to all students who have been affected by this mistake.

– We have now carried out a security check and a damage check, and everything was closed down and removed as soon as the mistake was discovered. We promise that this will not happen again, says Myhre-Nielsen.

USIT specifies that the responsibility for this slip-up lies with TF. Director of IT Lars Oftedal says that they are not familiar with the registration system that TF has operated with.

– UiO has strict requirements for storage of social security numbers, but the system that TF uses has never been approved by us, Oftedal says.