The names, social security numbers and drivers licenses of over 100,000 students and faculty of six Florida colleges were available online for five days earlier this summer. Affected people are still be notified by letter and warned to put fraud alerts on their credit, though there is no evidence yet that any of the information has been misused.
A software upgrade was responsible, according to the Florida state agency that caught the error, the College Center for Library Automation in Tallahassee. Tallahassee’s Leon County Sheriff’s Office is investigating.
The breach, which took place from May 29 through June 2, was not even noticed until 20 days later, when a student reported seeing personal information result from a Google search, according to the Sun-Sentinel newspaper.
Privacy concerns reported in the media, including ReadWriteWeb, have tended lately to orbit the twin stars of personal security and social media, particularly Facebook. But the large-scale loss or exposure of private information still tends to be institutional. Whether an employee losing a briefcase or a software botch like this one, large scale privacy screw-ups argue the need for every organization to have a carefully thought-out privacy policy and a complete and comprehensive IT process.
Jon Brody, Vice-President of TriCipher, an identity and access management company, argues for the addition of security layers to obviate the problems that result from this sort of breach.
“Data in most organizations, especially large and regulated ones like school systems, is protected by layers of technology and process. When a break in these occur, so does a breach. Students, administrators, and faculty should be concerned if systems they use require only a password for protection. When you add an additional factor to a password like an encrypted code stored on the users’ computer (that can’t be shared) or a one-time code generated by software on a smart phone – you eliminate a great deal of exposure that comes from passwords.”
If any of our readers are involved in organizational privacy or defining privacy elements of IT, especially in education, we’d love to hear from you in the comments. What does your outfit do to make certain things like this don’t happen to your users?
Locker photo by Allan Caplan | Library photo by Guillaume