http://www.themontclarion.org/media/paper374/news/2005/10/20/News/Negligence.At.Msu.Exposes.9100.Students.To.I.d.Theft-1028069.shtml By Jessica Havery October 20, 2005 Due to what Montclair State University officials are calling an "inadvertent error," the social security numbers of 9,100 Montclair State University students were made available online for nearly five months, putting each student at risk for identity theft and credit fraud. The error, discovered last Wednesday by junior political science major, Brian Gatens, was identified when Gatens stumbled over the information database after running a search for his name on a Google search engine. After making the discovery, and contacting Information Technology to report the issue, Gatens informed The Montclarion about the mishap. However, the paper decided to hold the story, originally meant to run on Oct. 13, in order to protect the confidential information of the students at risk. In response to Gaten's report, Jeff Giacobbe, director of Information Technology Networks, Telecommunications, Systems and Security, said that the information had been gathered by a University employee who had been authorized to do so. "This person inadvertently posted the files to an area of the campus web server that was subsequently read and 'cached' by the Google search engine," Giacobbe said. The employee, whose name has not been released by the University, placed the files onto the server so that the information could be retrieved by other University employees, who also had authorization to view the documents. According to Giacobbe, the individual failed to realize that, by placing the files in that location, the information was also visible to other parties, including internet search engines. While other media outlets have reported that the individual responsible made a mistake and would not be punished, Vice President of Student Development and Campus Life, Karen Pennington, said that the matter was still under a full investigation. When Gatens contacted Giacobbe about his findings, he was informed that the process of having the files removed from the Google search engine normally takes three to five business days. The University, in an effort to expedite the process, contacted the State Attorney General's office, which assisted with the removal of all files. Last Thursday, Pennington sent a campus-wide e-mail about the slip up, and urged undergraduate students with a declared major and an assigned academic advisor to take retroactive precautions to protect themselves and their credit reports. Pennington said that the University has received responses from parents and students regarding the announcement of the security concern. "There have been clarifying questions regarding the event," Pennington said. "Responses from students fall into three categories: clarifying whether [he or she] was specifically affected; clarifying how to get a free fraud alert versus having to pay and general concern regarding the incident." While students have sent letters and made phone calls as a way of expressing concerns, and complaints, they have also joined forces electronically by creating online blogs and groups through sites like Livejournal.com and Thefacebook.com. Mancine's post received 11 comments from other undergraduate students discussing the incident, and the possibility of taking legal action against the University. Another student, who could only be identified by the username 'ticklish721,' said "I may take legal action if I find something suspicious on my credit report." In addition to the Livejournal group, Montclair_State, 45 students have joined the "MSU Screwed Up and I Fell Victim to ID Theft" group, created by computer science major, James Ragucci. Students, such as music major Rosemary Topar, are using the group to unify any students interested in participating in a class-action lawsuit against the University. After reading about a bill signed by N.J. Governor Codey that would require colleges to stop using social security numbers as identification numbers, Topar asked, "Will someone please tell me why the University failed to halt the use of our social security numbers starting with this year?" Giacobbe said that Montclair State has been working to implement an alternate identification system for the past several months, and expects the system to be functional before the end of the year. "The campus-wide identification system is a unique eight-digit number for every student and University employee that will be used in place of a social security number for most University business and all online authentication," Giacobbe said. Pennington said that she was confident that the change will prevent unauthorized disclosers in the future. An information technology representative from Kean University said that their University has already made the change from social security numbers to an alternate form of identification. "While we have made the switch to an alternate number, students may choose whether they want to use their social security numbers, or not," she said. In some cases, according to Giacobbe, social security numbers will remain necessary. "Certain State and Federal processes, such as student financial aid, require social security information," Giacobbe said. "The numbers must remain a part of an individual's private ... record, but as of the end of the year, they will no longer be used as a primary indentifier or for logging into online services." _________________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Fri Oct 21 2005 - 13:59:34 PDT