University exposes students to ID theft

October 15, 2005

By Kelly Heyboer, Star-Ledger staff

http://www.nj.com/news/ledger/jersey/index.ssf?/base/news-1/1129351807179850.xml&coll=1



Montclair State University posted the names and Social Security numbers of 9,100 undergraduates on the Internet for nearly four months, exposing the students to identity theft, campus officials said yesterday.

Embarrassed university administrators sent students a letter on Thursday informing them of the computer glitch and urging them to check if their Social Security numbers have been stolen.

"Certainly our hope is we've caught this in time," said Ann Frechette, a Montclair State spokeswoman.

The university's information technology staff discovered the problem last Friday after an undergraduate put his name into the Google Internet search engine. The site listed a link to a file on the Montclair State Web site that contained the student's name, major and Social Security number.

"He just happened to stumble over it. Fortunately, he was quick to alert our IT department," Frechette said.

Campus officials discovered that a Montclair State employee had been storing undergraduate student files on the university's Web server for months. Though the information could not be easily accessed through the Montclair State Web site, several Internet search engines listed links to the files in routine searches of students' names.

Montclair State officials removed the files Oct. 7. They also contacted the state Attorney General's office to push Google and other Internet search engines to quickly clear their caches and erase any lingering links to the information.

The last of the links was removed at 9 p.m. Wednesday, Frechette said.

Campus officials declined to reveal which employee or department posted the student information. But they said the posting was a simple mistake and the employee was not punished.

All 16,000 Montclair State students were informed of the problem, though only the files of 9,100 undergraduates who had declared a major and been assigned an academic advisor were posted on the Web.

School officials urged students to get copies of their credit reports and file a police report if they notice anything suspicious.

"We strongly recommend that you consider placing a fraud alert, at no charge to you, on your credit account," Karen Pennington, a Montclair State vice president, said in a letter to students.

As of yesterday afternoon, 18 students had contacted the university with questions. None said their identity had been stolen.

But many students said they were worried.

Katie Mancine, a fine arts/painting major, said she is frustrated the university still uses Social Security numbers to identify students.

She also said she felt school officials were slow to inform students about the glitch. Many students have not seen the campuswide e-mail warning them about the problem, said Mancine, of Keyport.

"I believe this is big news and nearly three quarters (of) the students at the school have no idea it's even happening," said Mancine, 20. "I hope someone takes this to a lawyer or someone loses a job over this."

Montclair State is the latest in a growing list of colleges and universities that exposed their students to identity theft. Over the last few years several schools, including New York University, the University of Texas at Austin and the University of California at San Diego, reported hackers broke into their computer systems or accessed unsecured files containing their students' Social Security numbers.

Earlier this year, acting Gov. Richard Codey signed a law requiring New Jersey colleges to phase out the use of Social Security numbers on class rosters, grade postings and student ID cards. Montclair State plans to stop using students' Social Security numbers by the end of the year, school officials said.

[an error occurred while processing this directive]