128 international students exposed on K-State web site
Technorati Tag: Security Breach
Date Reported:
11/16/07
Organization:
Kansas State University
Contractor/Consultant/Branch:
None
Victims:
International students enrolled in the English Language Program
Number Affected:
128
Types of Data:
Names and Social Security numbers
Breach Description:
The names and Social Security numbers of some international students at Kansas State University were inadvertently exposed on the K-State web site for almost a year.
Reference URL:
Story at The Kansas State Collegian Online
WIBW News Story
Report Credit:
Adrianne Deweese, Kansas State Collegian Online
Response:
From the sources cited above:
K-State's Office of International Programs and International Student Center are notifying 128 international students that their Social Security numbers were exposed through a K-State Web site.
The students, who were in the English Language Program, had their information "inadvertently exposed" through a K-State Web site that started with a routine server upgrade in November 2006 that extended about one year, according to a Media Relations and Marketing press release Thursday
All data has been removed from the Web site.
[Comfyllama] Well, not all data of course. At least the confidential data, lets hope.
"We don't have any evidence that the students' information has been misused," she said. (Lynn Carlin, interim vice provost for Information Technology Services)
the server was "inadequately security controlled."
it is unknown at this time how the situation went unnoticed for one year
"We're still completing the incident investigation," she said. "The investigation is ongoing. Our first focus was identifying any students whose numbers could have been exposed."
Carlin said she was notified of the situation Nov. 6, and since then, she said university officials have worked to confirm the security lapse.
"We felt it was very important to notify the students once it was confirmed that 128 students were affected. We wanted to move that forward and not wait until the investigation was complete."
Letters were mailed to all 128 students Wednesday about the situation, said Cheryl May, assistant vice president for university relations and director of Media Relations and Marketing.
"If your information has been exposed, you are entitled to a free copy of your credit report," May said.
[Comfyllama] In addition, federal law allows for anyone to obtain a free credit report once a year regardless of your circumstance. See FTC Facts for Consumers.
May said international students who have questions about the situation can contact Maria Beebe, assistant director of the International Student Center, at or .
K-State started the elimination of Social Security numbers as a form of identification in fall 2006 by removing them from K-State ID cards and implemented Wildcat ID numbers, Carlin said.
[Comfyllama] Now thats what I am talking about! The root of the problem. Social Security numbers were never meant to be used for identification! Good for you K-State.
"By fall 2008, we will have the ISIS system that will no longer rely on the SSN as a student ID," she said. "The SSN will no longer be used as a student ID anywhere (at K?State)."
Commentary:
What can you say? Accidents and human errors will always happen. Thankfully, this breach is limited in scope and Kansas State is doing the right thing by restricting the use of personally identifiable data (Social Security numbers at least).
The fact that it took a year to notice the exposed data is a little unnerving. I am curious is K-State conducts external security audits through a third-party. If they do, then it certainly begs to question why they missed this. I recommend that everyone with a significant web presence conduct external audits after every significant change AND no less than annually. Change control and security auditing go hand-in-hand.
Past Breaches:
Unknown
Date Reported:11/16/07
Organization:
Kansas State University
Contractor/Consultant/Branch:
None
Victims:
International students enrolled in the English Language Program
Number Affected:
128
Types of Data:
Names and Social Security numbers
Breach Description:
The names and Social Security numbers of some international students at Kansas State University were inadvertently exposed on the K-State web site for almost a year.
Reference URL:
Story at The Kansas State Collegian Online
WIBW News Story
Report Credit:
Adrianne Deweese, Kansas State Collegian Online
Response:
From the sources cited above:
K-State's Office of International Programs and International Student Center are notifying 128 international students that their Social Security numbers were exposed through a K-State Web site.
The students, who were in the English Language Program, had their information "inadvertently exposed" through a K-State Web site that started with a routine server upgrade in November 2006 that extended about one year, according to a Media Relations and Marketing press release Thursday
All data has been removed from the Web site.
[Comfyllama] Well, not all data of course. At least the confidential data, lets hope.
"We don't have any evidence that the students' information has been misused," she said. (Lynn Carlin, interim vice provost for Information Technology Services)
the server was "inadequately security controlled."
it is unknown at this time how the situation went unnoticed for one year
"We're still completing the incident investigation," she said. "The investigation is ongoing. Our first focus was identifying any students whose numbers could have been exposed."
Carlin said she was notified of the situation Nov. 6, and since then, she said university officials have worked to confirm the security lapse.
"We felt it was very important to notify the students once it was confirmed that 128 students were affected. We wanted to move that forward and not wait until the investigation was complete."
Letters were mailed to all 128 students Wednesday about the situation, said Cheryl May, assistant vice president for university relations and director of Media Relations and Marketing.
"If your information has been exposed, you are entitled to a free copy of your credit report," May said.
[Comfyllama] In addition, federal law allows for anyone to obtain a free credit report once a year regardless of your circumstance. See FTC Facts for Consumers.
May said international students who have questions about the situation can contact Maria Beebe, assistant director of the International Student Center, at or .
K-State started the elimination of Social Security numbers as a form of identification in fall 2006 by removing them from K-State ID cards and implemented Wildcat ID numbers, Carlin said.
[Comfyllama] Now thats what I am talking about! The root of the problem. Social Security numbers were never meant to be used for identification! Good for you K-State.
"By fall 2008, we will have the ISIS system that will no longer rely on the SSN as a student ID," she said. "The SSN will no longer be used as a student ID anywhere (at K?State)."
Commentary:
What can you say? Accidents and human errors will always happen. Thankfully, this breach is limited in scope and Kansas State is doing the right thing by restricting the use of personally identifiable data (Social Security numbers at least).
The fact that it took a year to notice the exposed data is a little unnerving. I am curious is K-State conducts external security audits through a third-party. If they do, then it certainly begs to question why they missed this. I recommend that everyone with a significant web presence conduct external audits after every significant change AND no less than annually. Change control and security auditing go hand-in-hand.
Past Breaches:
Unknown
Posts Atom 1.0
Comments