Identity Finder is a program that is available at no cost to all UW-Madison faculty, staff and students to protect themselves and their computers from loss of restricted information and identity theft. It will scour a hard drive, a thumb drive, an external drive or a network drive and detect social security numbers, credit card numbers, dates of birth and even more esoteric information such as driver’s license and passport numbers.
For over a year, all IT staff in CALS have been urged to run Identity Finder on the administrative computers in units where HR and budget work is done, to root out restricted information left over from documents like timesheets, travel expense reports, grant budgeting exercises, and criminal background checks. Most of this information has been found to be more than seven years old, so files can be ‘shredded’ with impunity. When it is not certain that the file is valueless, the documents can be either ‘scrubbed’ of the restricted information using Identity Finder or the files can be copied onto off-line media such as CDs that can live in a drawer and then the file can be deleted. Files that can’t be deleted—restricted information required for legitimate and ongoing business purposes—need to be encrypted by the IT staff.
This use of Identity Finder on computers used for unit administration significantly cuts down the impact of data loss if hackers were to find their way into an administrative computer through vulnerabilities created by some piece of unpatched software or plugins. Campus units that have been broken into have paid upwards of $40,000 in computer forensics costs alone. If data were found to have gone out the door, the cost of remediation would be added to the bill.
But what would turn up if a typical UW-Madison faculty or staff member ran Identity Finder on his or her own office computer, or even home computer?
If they had submitted grants in the early 2000s, their office computers likely would have the social security number of each and every collaborator on pdf grant forms. They might have social security numbers of former students and non-UW visitors on travel expense reports. They might have old grade sheets and class rosters from the days when SSNS were used as UW ID numbers. How embarrassing it would be to have to notify these good people that their personal information might have been needlessly exposed to hackers!
On home computers, tax preparation software leaves the entire family’s SSNs behind in unencrypted pdf forms. Credit card information is stored in some browser forms. Invoices for professional services will also likely contain that faculty or staffer’s SSN. Some of that personal data can be shredded, some scrubbed, and the rest put in password-protected files or directories.
Aside from the peace of mind that comes from knowing what personal information lurks, or doesn’t lurk, on an office or personal computer, there is the matter of the new campus IReport policy: If a computer hack is detected and “there is reason to believe …that restricted information may have been accessible to unauthorized persons,” then the computer’s hard drive will be collected by the Office of Campus Information Security for analysis. Before they return the drive, they will make an image of the hard drive and then scour the imaged drive for evidence of malware and the presence of restricted data. They will also examine the network logs looking for evidence that data was transmitted on the internet. If, on the other hand, there is reason to believe that there is no restricted data on the hacked computer — and running Identity Finder and clearing the restricted information as recently as the past few months is considered reason to believe that no restricted data was accessible — then local anti-malware measures only are acceptable and OCIS need not be called in.
Identity Finder runs quietly in the background on PCs and Macs, and can be scheduled weekly or monthly. A scan take anywhere up to a couple of hours, much like anti-virus software that scans each and every file. It produces a report that lists every suspect piece of data and displays its context. Rather easily, the false positives—such as numbers that look like SSNs but aren’t—can be identified and ignored and the user can get down to the important work of reducing or eliminating the load of restricted data on their computers. And as we maintain our privacy, we improve the overall campus information security picture.
CALS IT Director
Professor, Dept of Soil Science