Berkeley Law’s Samuelson Clinic Reveals Sallie Mae’s Flawed Security Practices

Contact: Susan Gluss, media relations director, 510.642.6936 sgluss@law.berkeley.edu

Students persuade lender to reduce risks of identity theft, but security lapses remain

Berkeley , CA—June 5, 2008 …Students at the Samuelson Law, Technology & Public Policy Clinic at the University of California, Berkeley, School of Law recently accused Sallie Mae—the nation’s largest student lender—of placing millions of its customers at risk of identity theft through improper and potentially illegal authentication practices. Although Sallie Mae revised its authentication practices this spring after receiving a cease-and-desist letter from the Clinic, law students say the new practice remains flawed and leaves student borrowers vulnerable to identity theft.

The Samuelson Clinic investigated Sallie Mae’s security practices after receiving complaints from a student customer last fall and found that the lender exposed customers to unnecessary privacy risks. Sallie Mae, which manages nearly 10 million student loans, offers customers the option to receive their monthly financial statements electronically. Customers who choose that option receive monthly e-mail statements as a password-protected PDF file. The e-mail sent to customers states that the password to the file is the customer’s Social Security Number (SSN)—a nine-digit number. Clinic students found that in 30 minutes or less, using decryption software freely available on the Internet, an identity thief could decrypt a customer’s SSN and steal private financial information from the account statement.

“Sallie Mae violated nearly every reasonable measure to protect a customer’s identity and financial information,” said Kathleen Lu, one of the Berkeley Law students who investigated the complaint. “Identity thieves, or, frankly, anyone who’s a bit savvy with computer software, could crack open a person’s private file and steal information at will.”

Despite several Internet posts complaining about the problem from January 2004 through March 2007, Sallie Mae took no corrective action. Last November, after further investigation into Sallie Mae’s practices, the Samuelson Clinic sent Sallie Mae a cease-and-desist letter demanding that the company improve its security practices or face legal action.

Sallie Mae responded to the Clinic’s letter in December 2007 and agreed to discuss its security practices with the Clinic in a February 2008 conference call. On that call, Sallie Mae Senior Vice President and Deputy General Counsel Eric Reicin and Chief Privacy Officer Brian Hynes stated that, in response to the Clinic’s letter, Sallie Mae had sought the advice of David Medine of WilmerHale, the former associate director of financial practices at the Federal Trade Commission. Reicin and Hynes also shared Sallie Mae’s plans to roll out an enhanced security system on March 1. Samuelson Clinic students recommended additional security safeguards used by other financial institutions, such as a) using passwords without Social Security Numbers, b) allowing customers to set their own passwords, and c) requiring customers to access their account statements via a secure Web site instead of e-mail.

Although Sallie Mae has since refused to provide additional details about its security plans, the Samuelson Clinic has independently confirmed that the lender has started to implement its improved—but flawed—security system. In an e-mail sent to a student borrower on April 14, 2008 and forwarded to the Samuelson Clinic, Sallie Mae announced that its “updated” password is the borrower’s 10-digit account number, followed by the first letter of the borrower’s state of residence and the last four digits of the customer’s Social Security Number. While the new password is an improvement over Sallie Mae’s previous methods, student borrowers are still at risk of identity theft, according to the Clinic.

On the upside, an identity thief can no longer obtain a Sallie Mae borrower’s full SSN by decrypting the customer’s account statement. On the downside, the limited range of potential passwords—made up of ten numbers, one letter, and another four numbers—still renders it susceptible to password-guessing software. Not only that, identity thieves who decrypt a customer’s account statement can still obtain the last four digits of the customer’s SSN, a common authenticator, and the financial information in the account statement. Sallie Mae did not adopt the Samuelson Clinic’s recommended security methods used by many other financial institutions, such as user-set passwords with minimum strength standards, and the new system is being implemented in phases—meaning some borrowers will not even receive the limited security improvements until late June.

“We’re glad Sallie Mae realized it was exposing its customers to security risks and took some corrective action,” said Edward Takashima, a Samuelson Clinic law student active in the investigation. “However, we’re disappointed that Sallie Mae did not take this opportunity to lead the financial services community by developing a more secure authentication system. We urge Sallie Mae and other companies to continue to examine their own programs and fix security lapses.”

The Samuelson Clinic will continue to monitor Sallie Mae’s implementation of its security updates and advocate for additional improvements. The Clinic urges all customers to be vigilant in guarding their personal information against identity theft and to pressure their financial institutions to take appropriate safeguards. Clinic students would like to receive information about other companies engaged in improper and risky authentication and privacy practices. Concerned customers can reach the Clinic at salliemaesecurity@law.berkeley.edu.

The Samuelson Law, Technology & Public Policy Clinic at UC Berkeley School of Law gives students hands-on training while serving as the public’s voice in legal and regulatory disputes. Guided by Clinic faculty, students file amicus briefs, comment on proposed legislation and regulations, and provide legal assistance in important issues relating to law and technology. The Clinic represents consumer interests in intellectual property, communications regulation, and privacy issues, among other areas. Law students Kathleen Lu, Genevieve Rosloff, Edward Takashima and Kathy Yu worked on this project under the supervision of Samuelson Clinic Fellow Jennifer Lynch. For more information about the Clinic, go to: http://www.samuelsonclinic.org/. For more information about Berkeley Law, go to: https://www.law.berkeley.edu/.