Federal loan Web site left unprotected

September 17, 2006

By Brian Morelli, Iowa City Press-Citizen


Complications from a computer software upgrade caused a security breach that left loan borrowers' private information, such as their Social Security numbers, unprotected online.

The problem occurred from the evening of Aug. 20 to the morning of Aug. 22 on the Web site of Direct Loans. Direct Loans is part of the William D. Ford Federal Direct Loan Program within the Dept. of Education and Federal Student Aid.

"During this time, borrowers using specific options on the Web site may have been able to view and/or update information other than their own," according to a letter obtained by the Press-Citizen that was sent to an affected University of Iowa student.

Like many UI students, Bethany Martin, 20, a junior, receives Direct Stafford Loans, which fall under the umbrella of Direct Loans. Martin received a similar letter in the mail.

"I was kind of annoyed about it," Martin said. "Anything that exposes your personal information is an error on their part."

She said she has not had any problems with identity theft thus far.

Beth Oaks, associate director of the financial aid office, oversees the Direct Loan program at UI. She said the situation was not as risky as if there had been a malicious attempt to steal information but having one's Social Security number exposed is still risky.

"Anytime you have a Social Security number that you put out in the public realm, there is a risk there," Oaks said. "(But) something like this could happen at anytime with any entity that owns their secure information. I recommend students keep a close eye on their credit reports and if they see anything suspicious, they should report it."

More than 60 percent of UI students use Direct Loans while attending school, but it is unclear how many were affected, she said, adding that no students had contacted her.

Mary Bushman is a spokeswoman for ACS, the company to which the Department of Education outsources its information technology needs.

Anyone who used the Web site and performed the same transaction at the same time in the same part of the system as another user could have had his or her data exposed, Bushman said.

She estimated that 21,000 accounts of the more than six million on the system could have been affected. All those potentially affected already would have been notified, she said.

"There is no information to date of any compromise of anyone's information," Bushman said.

Upon discovery of the issue Aug. 21, online payment and electronic correspondence options on the Web site were disabled. Errors in other online menu options were discovered Aug. 22 and disabled immediately, the letter stated. The Web site was fixed Sept. 1.

"We sincerely apologize for this incident and take our responsibility for protecting the accuracy, privacy and safety of your personal information very seriously," the letter stated.

Federal Student Aid is offering affected students a free one-year membership to Equifax Credit Watch Gold with 3-in-1 Monitoring. The period for enrollment ends Nov. 30.

main page ATTRITION feedback