New CUNY security slip

September 28, 2005

By Ellen Yan, Staff Writer,0,5078667.story?coll=nyc-nynews-print

The CUNY foul-up that put students' personal information a Google search away from identity thieves was more widespread than first reported, with school officials saying yesterday that the Social Security numbers of hundreds of employees also got on the Web.

City University of New York officials detected the unprotected payroll link for Hunter College Campus Schools this past Wednesday after a law student tipped them about search engine links to CUNY files.

Delayed response

But while 335 Queens College law students got alerts on the breach Thursday, CUNY waited until Friday to e-mail memos on the Hunter problem that involved 265 workers and 171 former workers and retirees from the elementary and high schools, according to the Hunter memo and CUNY's chronology.

CUNY spokesman Michael Arena said the school acted quickly, but he did not explain why the memo was sent later than the one for law students.

"They need to show us what was up there," said a Hunter retiree, who did not want to be identified in the paper.

"I know people are closing bank accounts, people who may or may not be on the list. They're going through the contortions and it's not fair. They should tell us what's on the list and let us make informed decisions."

CUNY blocked their links to the files late Wednesday and contacted Google, a search engine that keeps cached information. The caches, or copies of the pages available for retrieval later, remained on Google until 6:45 p.m. Friday.

Failures raise questions

The security failure, first reported in Newsday yesterday, prompted a flurry of memos up the chain of command yesterday, ending with CUNY chancellor Matthew Goldstein telling the Board of Trustees that it was "a most regrettable data breach."

The university controller's office failed to "request security to be enabled" in the case of the law school, while errors in protecting Hunter files were not detected by security tests, Brian Cohen, CUNY's chief technology information officer, and controller Barry Kaufman wrote yesterday to senior vice chancellor Allan Dobrin.

The failed test and procedures raise questions over whether this has happened before at CUNY. Arena, who noted that all CUNY files have been doublechecked on security since last week, said that there are no indications a similar problem occurred before.

It's not clear how much damage has been done, but CUNY's written explanation reports that the Hunter files were accessed 217 times from July 1 to Sept. 22, including 180 times through Google.

The files on law school students' financial aid were created in August and officials are trying to determine how many times they've been accessed.

New review of security

The university has initiated new security and testing procedures to prevent future leaks and will also have a chief information security officer on the job next month, a new position that's been in the works for months, CUNY officials said.

"The university has undertaken a review of existing procedures so that effective safeguards are fully implemented without fail," Goldstein wrote.

Arena has described the foul-up as "human error" but did not offer further details.

Law students yesterday met with CUNY administrators to demand options, including financial help to pay for credit checks. Arena said the university will review student needs case by case.

But some students left the meeting frustrated.

"It seems like they're waiting for somebody to get our credit card or utility bill with our name and that's when they're going to be able to help us," said the law student who initially alerted CUNY about the problem. "That's not good enough."

[an error occurred while processing this directive]