Second set of personal data is posted on NYU Web site

February 3, 2004

Kate Meyer, Washington Square News

(U-WIRE) NEW YORK -- Just more than a month after New York University deleted a Web site displaying 1,800 students' personal information, a new cache of private data was discovered on an NYU site and deleted Friday.

The personal information of at least 2,100 students, alumni and professors, including 400 Social Security numbers, was on several mailing lists that were inadvertently accessible on the Bronfman Center for Jewish Student Life's NYU Web site.

The site was taken down after Washington Square News informed Information Technology Services director Marilyn McMillan of its existence.

"We'll do something to close that down right away," McMillan told WSN Friday. "This is the first I've heard of it."

Birth dates, permanent addresses, phone numbers, e-mail addresses, residence hall addresses and, in some cases, Social Security numbers, were on the lists. McMillan could not determine how long the site had been up, though the information had been compiled as recently as Dec. 5 and as long ago as August 2002.

"It was certainly a mistake that these files were not protected," McMillan said. "We're working to figure out whose mistake it was."

Many students contacted were shocked to learn that their private information was online.

"It's very disappointing to me that the university would have that kind of lapse," said Noah Young, a junior in the School for Continuing and Professional Studies, who was on a list. "They should have taken a lot more care and concern when publishing any type of information about their members."

The university sent out two e-mails on Saturday night -- one to students whose Social Security numbers were displayed and one to those who had other personal information posted -- explaining the situation and advising students about protecting themselves from identity theft.

McMillan suggested that all affected students place fraud alerts with credit companies, even if their ID number was not on the site.

"They should probably put a fraud alert on their record, because there's enough other personal information up there ... that it wouldn't take much more to make an identity theft," she said.

McMillan said the number of students affected was about 2,100, but WSN calculations put the number closer to 2,300. Bronfman Center director Rabbi Andrew Bachman apologized for the exposure, but maintained that it was an accident. "We're correcting the problem as soon as we can," Bachman said. "There certainly is no malicious intent in the oversight, nor is there any secret desire on our part to gather information."

Most of the information was collected to create a standard mailing list, Bachman said. The Social Security numbers, which double as student ID numbers, were collected in order to "track" students, Bachman said, especially in instances in which students' contact information changes over time.

The security lapse is the second in about a month. A similar slip, revealed in late December, involved about 1,800 students who had signed up for intramural athletics. A list of their information was inadvertently available online for two years.

"I'm really disappointed after the whole athletics department thing that nobody figured out that they should check their own Web site," said College of Arts and Science freshman Nicholas Banco, whose personal information, but not Social Security number, was posted on the Bronfman site.

After the first incident, ITS conducted a "careful, but clearly not complete" review of the contents of NYU's Web site, McMillan said. The department used an automated process that scanned for numbers that resembled Social Security numbers and found three to six Web sites and took them down.

The Bronfman Center's lists were accidentally made public by the original webmaster, who failed to adequately secure the files. The current Webmaster, a graduate student, was under the impression that precautions had been taken, Bachman said.

"The student leaders built the Web site," Bachman said. "I would ordinarily have assumed that security mechanisms had been put in there, but they weren't."

Some students involved in the first breach said they were thinking of suing NYU for violating the Family Educational Rights and Privacy Act, which protects students' education records, including general personal information.

Students contacted over the weekend said that they, too, were interested in suing.

Jonathan Vafai, chair of the Student Senators Council, NYU's chief student decision-making body, was on one of the Bronfman lists. Though his Social Security number was not revealed, he said the university needed to be held responsible for its actions.

"I'm not a big fan of people suing, but this is a pretty egregious situation, and there are laws the university is supposed to follow," Vafai said. "If they have to sue, they have to sue."

Banco said he did not submit his Social Security number for the list because he was concerned about his privacy from the start.

main page ATTRITION feedback