A Kansas University Web site that accepts personal and financial information from students has been shut down after credit card and Social Security numbers for about 9,200 current and former students were exposed to site visitors.
The KU Student Housing Department's Web site wasn't up to university security regulations, creating security lapses that exposed a list of student housing applications, Vice Provost Denise Stephens said.
"This was one of our departments simply not following university policy," said Stephens, who is the university's chief information officer.
Stephens said that the security problem surfaced during a routine audit of the university's Web sites on Dec. 16. The site was taken offline the same day.
The list contained information from people who completed online housing applications between April 29, 2001, and Dec. 16.
The list included names, addresses, partial and complete credit card numbers, and other personal and financial information.
During the audit, information technology officials could find no evidence that any information had been stolen or used.
After the site was offline, officials began a review of all of KU's Web sites that accept credit card and other information, Stephens said.
Other flaws could be out there, she said, but it will take time until the systemwide audit is complete.
"We have to rely on our policy in the meantime," Stephens said.
The exposed list and security flaws in the housing Web site were different than other recent Web site security problems at the university, Stephens said.
University Web sites have been victim to hackers and departmental errors several times since 2003, resulting in the possible theft or exposure of student information.
But Stephens said that this exposed information stemmed from problems with encryption and other security measures when the housing department constructed the site.
Kip Grosshaus, an administrator in the department, said that Student Housing adhered to university regulations when constructing the Web site.
"We followed the university's policies on those," Grosshaus said.
To help inform students, Grosshaus said the department sent an e-mail to all of the former and current students on the list, including information on identity theft.
But Grosshaus said many of the e-mails came back undeliverable, likely because of expired or full KU accounts. The department also mailed letters to some former students, and will try to mail out letters to those who could not receive the e-mail notice, he said.
University officials said people with questions about the security issue can e-mail email@example.com. They also can call 864-9147 or (877) 529-4295 from 9 a.m. to 5 p.m. weekdays.
Until the Web site is fixed, students needing to pay housing fees or apply for housing should download an application from www.housing.ku.edu and mail it to the department.