Archive for Sunday, August 24, 2003

Security breach

A second incident of private student information being taken from Kansas University computers indicates the need for a serious review of training and security procedures.

August 24, 2003


In this age of instant computer communication, a little error can cause a large problem.

For the second time this year, a group of Kansas University students has had private information from the university's computer files exposed inappropriately. Early this year, a computer hacker tapped into KU's system and downloaded the files of 1,450 foreign students. The loss of information had serious consequences for many students and threatened to make it more difficult for them to leave and regain entry into the United States. The incident still is under investigation by the FBI.

Where the foreign student incident certainly was unfortunate, at least it was perpetrated by someone outside the university. The incident revealed during a legislative committee meeting last week apparently was the result of sheer carelessness by state and university employees.

In the process of soliciting bids for a liability insurance policy, a clerk at KU Medical Center was asked for the names of about 920 nursing and health students who would be covered by the policy. The helpful clerk forwarded those names to the Kansas Department of Administration, complete with the Social Security numbers, which placed both the names and the numbers on the Web site where bids were being sought.

The Journal-World story on this incident indicated that the numbers weren't recognized at the purchasing division as Social Security numbers. Is it that hard to recognize a Social Security number? Even if it wasn't a Social Security number it probably would have been some other important identification number, such as a student ID, that certainly shouldn't have been posted to the Internet.

The chain of stupidity or incompetence that led to this posting should concern anyone who has entrusted KU -- or any other state entity, for that matter -- with personal information. It's unbelievable and inexcusable for the university and state staffers to be so inept in handling confidential information.

The numbers were on the Internet for under a week in April. So far, none of the students has reported any problems with identity theft. Both they and the state may have dodged this bullet this time, but there seems little doubt that changes must be made. Two incidents within a year in which private student information has been infiltrated -- or simply released inappropriately -- clearly indicate the need to revisit training and security measures to decrease the chances of more security breaches.

Commenting has been disabled for this item.