Thursday, October 20, 2005

Incident: Personal information of Vermont Tech students internet-accessible for over a year

Another university-related privacy/security breach:

Personal information on Vermont Tech students ends up on the Internet

Vermont Technical College's entire student body had their names, addresses, Social Security numbers and academic information inadvertently posted on the Internet by a college staff member more than a year ago, and the records remained publicly accessible until last week, Vermont Tech officials said Wednesday.

A former Vermont Tech student happened upon the 2003 student information last week after using the search engine Google to look up his own name, Vermont Tech President Allan Rodgers said. The college, which notified Google and removed the information from the college computer server on which it was stored, is contacting all 1,100 students whose private information was likely available on the Internet since January 2004.

"We have taken swift steps to secure the information and to remove the data from the Vermont Tech server and from other sources," Rodgers wrote in an Oct. 12 e-mail to students and alumni. "We regret this incident, and we are reviewing our security practices, policies and employee training."

A Vermont Tech employee who coordinates the college's tutoring services was responsible for the error, Rodgers said. The staff member, he said, attempted to electronically submit the student information over a privately secured computer drive but inadvertently sent it to a publicly accessible college Web site.

The information included student names; ethnicity; Social Security numbers; addresses; and student identification numbers. Academic information, including SAT scores and academic standings, were also part of the compromised data.

"This is the first time we've been aware that this information could be accessed," Rodgers said, referring to the former student's Internet discovery. Rodgers said he has since spoken to one or two students who are curious about what happened and how the college will follow up on it.

Rodgers said all Vermont Tech employees, including the employee who made the error, will receive additional training on computer network security.

"People have to have access to information in order to do their jobs, and we need to make them understand what is secure and what is an unsecured venue for information transmission," Rodgers said.

While there is no indication that any of the Vermont Tech information was lifted off the Internet by identity thieves, the possibility that such a thing could happen is very real, said Gary Kessler, an associate professor at Champlain College and director of its information security program.

Kessler said universities and colleges, with their vast computer networks and wealth of sensitive data, might be particularly vulnerable to hackers. The University of California, San Diego, and the University of Texas at Austin, he said, are among the growing number of institutions that have fallen victim to identity thieves.

Champlain College recently spent millions of dollars on a new administrative student database system that includes state-of-the-art security. As part of the new system, only specific employees may access private data, such as Social Security numbers.

"With the new system at Champlain, I cannot get Social Security numbers of my students. I can't even accidentally disclose the information," Kessler said. "The only people that generally require Social Security numbers are dealing with financial aid."

No comments: