ECU Mistakenly Posts Personal Info Online

February 9, 2007

By Mike Charbonneau and Matthew Burns

http://www.wral.com/news/local/story/1198897/



East Carolina University plans to notify about 65,000 students, alumni and staff members about a security breach that could put them at risk for identity theft.

A programming error on the school's OnePass Web site created files that made it possible for anyone to view personal information of thousands of students, former students and faculty members. The information included names, addresses, Social Security numbers and, in some cases, credit card numbers.

"We have no evidence of any mass downloads of information or direct evidence to indicate that personal information has been inappropriately obtained or used," said Kevin Seitz, ECU's vice chancellor for administration and finance.

The university is in the process of eliminating Social Security numbers as student identifiers in its computer systems. Ironically, a mistake during that transition led to the posting of the personal information online, officials said.

A student discovered the problem on Jan. 29 and reported it to police, Seitz said, adding that the information was likely online for no more than a week. University officials secured the site within 15 minutes of being notified of the problem, he said.

Although officials aren't sure how many people looked at the files during that time, Seitz said credit card numbers of 21 people were viewed.

"It scares me. Identity theft is a huge thing these days, and knowing somebody could get all my personal information, especially knowing the school has my Social Security number, I don't like it," student Ben Shank said.

Students said the OnePass Web site is where they do most of their university business, and it contains plenty of personal information.

"It's where we make our course schedules and pick out our classes for next semester. It's also where we buy our parking permits," student Kendra Parks said. "I think it's a little bit disturbing because you don't know who it was that accessed your information at what they could be doing with it."

ECU officials wouldn't comment on possible disciplinary actions in the case, saying only that they are investigating exactly how the error occurred. The university plans to use internal and outside auditors to review its information technology systems, officials said.


main page ATTRITION feedback