Surprise, surprise -- someone broke into a UT administrative computer and stole a bunch of directory information this weekend, including social security numbers.
Unlike Cecily, I can't say I'm really surprised if UT's administrative systems were broken into. Why should UT be immune to cracks that lots of other organizations fall for?
However, from the description of the breach, it doesn't sound like the crackers did anything very sophisticated. They found a way to do basic directory lookups by social security number and then started firing made-up SSNs at the system and saving the results when they happened to match people in UT's database.
The sad thing is that there's a common-sense precaution against identity theft which UT could have adopted decades ago and which would have limited the damage caused by this incident. Since my undergrad days, at least, UT has insisted on using SSNs as the default student or staff ID number. Students can get an exception if they object, but how many incoming freshmen are savvy about identity theft? And faculty and staff have no such option. If UT would only generate its own internal ID numbers and segregate SSNs as confidential information, then a breach of a low-sensitivity database (as this one appears to be) wouldn't put SSNs at risk.
This is exactly why privacy curmudgeons object to SSNs being routinely used as a universal identifier. But try to get a big organization like UT to listen...