Hacker News

My private information is worth $30

2025-11-2211:046964blog.melashri.net

A couple of weeks ago, I was notified that I can be part of class action settlement against University of Minnesota for a data breach that exposed my personal information. According to the details, In…

A couple of weeks ago, I was notified that I can be part of class action settlement against University of Minnesota for a data breach that exposed my personal information. According to the details, In 2021, the University of Minnesota experienced a data breach that exposed personal information of "individuals who submitted information to the university as a prospective student, attended the university as a student, worked at the university as an employee or participated in university programs between 1989 and Aug. 10, 2021." source. I'm an alumnus of this university, so my information was part of that breach.

The university of course as a classical cooperative entity took the easy route that the legal system provides. They refuse to admit any wrongdoing, but they agreed to pay $5 million to settle the class action lawsuit. The settlement is open to anyone who had their personal information exposed in the breach, which includes names, addresses, dates of birth, Social Security numbers, and other sensitive data.

What is more insulting than that the university did not issue a formal apology to the affected individuals, is that they are offering a mere $30 per person as compensation for the breach. Yes to be honest they include this standard 24 months of dark web monitoring and identity theft protection services, but the value of my personal information is set to $30. Which even would be less if the number of people submitting exceeds the funding available for the settlement.

So according the university that sends me two or three emails per week asking me to donate to them, my personal information is worth $30. I understand that my Social Security number and other personal information got exposed in other breaches (Thanks to T-mobile and others). But the current status quo is that it does not matter whether it is a commercial entity or a public one, they will act in the same way. They will not take responsibility for their actions, and they will not compensate you for the damage they caused. They will just offer you a small amount of money and hope that you will forget about it.

The University of Minnesota is not the only one doing this. Many other institutions and companies have been caught in data breaches and have offered similar settlements. But it is still disappointing to see that they are not taking the issue seriously. This same university which promised a life access to email address which they did not honor, is now offering me $30 for my personal information. It is a slap in the face to all of us who have been affected by this breach. So I will not be submitting a claim for the settlement. I will not be accepting their offer of $30. I would have much preferred if they had taken responsibility for their actions and issued a healthy apology. But they did not. This would have been a good start. But they did not. And they will not.

The basic problem is that they do not care about us. They care about their reputation and their bottom line. They do not care about the damage they caused to our personal information. They do not care about the trust they have broken. They just want to move on and forget about it. When this happens from a corporation or a company, I can understand it. But when it happens from a public institution that is supposed to serve the public interest, it is unacceptable. How would I trust anything coming from them in the future? They have shown that they don't care about their alumni or their students.

The regulation is very weak, and the courts/laws are not doing enough to hold these institutions accountable. The fines are too low, and the settlements are too small. The only way to change this is to demand better regulations and stronger penalties for data breaches. We need to hold these institutions accountable for their actions and make them pay for the damage they cause. If the fines and compensation were higher, then the incentives would be aligned, and they would take data security more seriously. And would invest more in protecting our personal information instead of the ever-increasing administrative costs and salaries of the top executives.

US Universities are not only charging high tuition fees for education, but they are charging even researchers with external grants to use their facilities. If you get NSF or NIH grant, you have to pay the university a percentage of the grant as an indirect cost. The percentage varies from one university to another, but it is usually around 50%. This means that if you get a 100,000 USD grant, the university will take out 50,000 USD as indirect costs (NSF or NIH will end up paying 150,000 USD). This is a huge amount of money that could be used for research, but it is going to the university's administrative costs and salaries of the ever-increasing number of administrators.

For what it is worth that the universities is currently under fire for a variety of reasons, mostly politically motivated, but there are many valid reasons to be critical of the way they are run. The way they handle data breaches is just one of them. The amount of disrespect they show to their alumni and students is another. The way they prioritize administrative costs over education and research is yet another. It is time for us to demand better from our universities and hold them accountable for their actions.

After writing this post and trying to proofread it, I realized that I repeated "My personal information is worth $30" multiple times. I guess it is a sign that I am still angry about it. But also realized that if I had written this in Arabic it would have been much more concise. The poetic nature of writing in grievance in Arabic is much more effective than in English. But I will leave that for another time.


Read the original article

elashri

Karma: 3574
...
 @Hacker__News
@hacker._news

Comments

  • By mattmaroon 2025-11-2212:211 reply

    The settlement you get from a class action lawsuit has no relation to the value of the underlying tort. It is not, as an investor would say, a pricing event.

    Everybody’s private information would be worth a different amount if you were talking sheer economic value. A poor persons would be very little, a rich person would be worth very much.

    • By cs702 2025-11-2213:13

      Yes. $30/victim is the negotiated amount at which the lawyers make an acceptable profit.

      I'm talking about the lawyers who initiated, orchestrated, and covered all costs associated with the class action lawsuit.

      They typically get ~30% of the announced settlement. The headline figure in this case was $5M, so the lawyers likely got ~$1.5M.

      That has nothing to do with the worth of each victim's information.

  • By benterix 2025-11-2212:511 reply

    This is actual problem in general. As a rule, I never give my personal information online anywhere, always use fake info. However, there are a couple of cases when real info is necessary. If it's just my real name and phone number like for booking.com, that's maybe acceptable - just one weak point, little PII.

    However, an institution like an university requires a bit more, like a copy my ID or a photo. And based on their attitude, I'm sure they'll get hacked sooner or later. Their IT is either outsourced or understaffed and of mediocre quality. The fact than noone broke in (?) is because nobody cared that much.

    • By hsbauauvhabzb 2025-11-2213:21

      Your data is probably on a million systems regardless. While minimizing risk is great, I feel like it’s sorta a drop in the bucket. You need to rent a house, and pay a phone bill

  • By bmitch3020 2025-11-2212:044 reply

    I wonder how much more organizations would value PII if we could legally demand all of the PII of the executive officers for that same price.

    • By itopaloglu83 2025-11-2212:451 reply

      Not much, proper PII sustainment over decades (generally) is too demanding for universities unless they have proper resources and knowhow as well.

      The US banking system has some blame here as well, just knowing someone’s bank account details shouldn’t let anyone transfer money out of it. IBAN system is quite good at this, that people just share their account numbers with each other and even some merchants like restaurants accept payment through IBAN.

      • By amypetrik8 2025-11-2315:19

        while mbitch3020 makes a good point about holding people to the standards they themselves hold other to - in the case of universities, I'm pretty sure if every sub department of a department of a branch of many universities has one or more diversity commissar officers... if universities can afford that they're not hurting to hire up a bunch of data integrity commissars

    • By mattmaroon 2025-11-2213:542 reply

      I’d assume the executive officers are just as affected as anyone else. Nobody is safe from the data harvesting/sales going on anymore.

      • By TheCraiggers 2025-11-2216:43

        Yeah, sure. Only difference is they have millions/billions to pay for professionals to guard them and watch for anything out of the norm.

      • By esseph 2025-11-2221:03

        When you have money there's a lot of ways to obscure ownership of things in the case of public records disclosure.

    • By constantcrying 2025-11-2212:15

      According to the statement all university employees data was leaked. This of course would include all of the administration, up to the president.

    • By Terr_ 2025-11-2212:28

      Or if the company had statutory liability for any leaks or misuse of material in their control.

HackerNews

About