Student SSN leaks on Web lead to U. Nebraska tightening security

March 29, 2006

Comtex Business Via Thomson Dialog NewsEdge

http://www.tmcnet.com/usubmit/2006/03/29/1518938.htm



The University of Nebraska-Lincoln is taking steps to secure its network after a Google server inadvertently stored a Web page listing students' Social Security numbers.

According to a letter sent to affected students by Vice Chancellor of Student Affairs James Griesen, 342 students from the College of Engineering had personal information - including Social Security numbers, e-mail addresses and grade point averages - posted online.

Gary Aerts, UNL director of enterprise information solutions, said the problem was first discovered last summer when someone within UNL realized the same site was unprotected and open to the public.

The site, which was created in November 2004 and used by the engineering department to track student information, was removed from the UNL Web site within 24 hours of the discovery.

Kelly Bartling, UNL's manager of news, said students were not notified during the summer because there was no evidence anyone had accessed the page.

``The point is as soon as it was discovered, it was taken care of immediately,'' said Meg Lauerman, director of university communications.

However, the same site was found again when a UNL student searched for some of his personal information last week on Google.

Last Thursday, the Daily Nebraskan contacted the engineering department to report and inquire about the problem, which was first discovered by a Daily Nebraskan photographer whose name and personal information was on the Web site.

Within a few hours, top UNL administrators, communications and information specialists held an emergency meeting to identify and discuss the problem.

Bartling said it's unknown how long the site was open on Google.

In his letter sent Monday to students, Griesen wrote, ``It would not have been apparent to users of the server that the file was unprotected, and we have no reason to believe that it was accessed by anyone during this period of time.''

However, he encouraged those notified to watch for any signs of information misuse.

Aerts said the site doesn't exist on UNL's Web site but likely was stored in a Google server as a ``shadow.''

He called Google ``sanctioned spyware'' that operates by sending ``spiders'' into the Web to index sites for the search engine. Through this process, the Google network logged an unprotected UNL Web site that contained the information.

Aerts noted that the Web crawlers are unable to distinguish and weed out descriptive personal information.

When the site was first discovered over the summer, Aerts said UNL conducted an extensive check of the other major search engines and didn't find the site.

Aerts said he thinks the page was stored on an old Google server and reappeared.

``We can't explain it any other way,'' he said.

UNL contacted Google to have the site removed after the problem was discovered again last week, and information about the security failure was released to affected students after the site was taken offline.

``The university will be upfront about breaches of this nature,'' Lauerman said, adding that UNL has a commitment to openness and honesty with its students and employees.

Aerts said UNL is taking extra measures to make sure its network is secure, and administrators said they are using the incident as an opportunity to re-examine and tighten their policies and procedures when it comes to dealing with leaks of private information.

Lauerman said as technology changes, policies must change to accommodate, and UNL is studying what it can do to keep a similar problem from happening in the future.

The university now has a system to periodically check search engines for the site, Aerts said, but he doesn't know how the university could check if similar sites have made it to the Web.

``I honestly don't know how you'd even go about that,'' he said, noting the university would have to search for every student name and Social Security number on all the major search engines to be completely sure the information wasn't public.

Added Aerts: ``There's nothing to say that individual students shouldn't Google their name'' to make sure his or her private information isn't posted.

Chris Jackson, vice chancellor for business and finance, said UNL's use of Social Security numbers would be phased out completely by the end of this summer, which should help protect students' personal information and keep the problem from being repeated.

The Web site that caused the problem was created before UNL began transitioning to university-issued student ID numbers.

Bartling said the university hasn't received any response from students who were sent letters about the incident, but she noted the students might not have received the notification yet.

In the meantime, Aerts said UNL's information security has room for improvement.

``More resources are needed in this area,'' he said.

Lauerman said the incident was unusual - noting that of all the UNL Web sites in existence, only one breach has been found - but the university isn't taking it lightly.

Aerts agreed.

``The university takes the protection of student, employee and faculty data very, very seriously,'' he said.

At the same time, he said the university couldn't guarantee 100 percent protection from leaks because of hackers and rapidly evolving technology. ``We have to be constantly vigilant, but we take it very seriously.''


main page ATTRITION feedback