La. Security Breach Exposes Thousands To ID Theft



It seems like a list without end -- thousands of student names, addresses, ZIP codes, birthdays -- and Social Security numbers.

In all, more than 80,000 names and Social Security numbers were accessible for perhaps as long as two years on an internal Internet site run by the Louisiana Board of Regents, the body that has oversight over the state's institutions of higher education.

"Well, it's a recipe for identity theft if you have a name, a Social Security number, a date of birth and an address, you can create an identity that will lead to fraudulently bilking credit cards, tampering with bank accounts and the like," the FBI's James Bernazzani said.

"Additionally, someone can apply for a driver's license or other photo identification. They can make counterfeit checks. They can apply for a job. They can get an apartment. They can do any number of these things with your identity," FBI cyber expert Kristy Green said.

Most of the network was password-protected, but the area containing the most potentially dangerous data, including thousands of student Social Security numbers, was not.

Aaron Titus, a law school student and privacy advocate, said he found the open door to the Board of Regents internal network using Google.

Not only did he find the database of student names -- Titus also discovered 150 other files that he said contain up to 75,000 more names of students and employees.

For example, there's a list of administrators and instructors at South Louisiana Community College that includes their Social Security numbers.

"I'd be shaking in my boots. I'd be really, really freaked out. All of my information is available to anyone who wants it right now," Titus said.

He admitted it's hard to pin down how many employees are affected.

"I was astounded when I saw all this information up -- not protected, not behind a firewall, out in the open where anybody in the entire world can get to it," Titus said.

Law professor Julian Murray said the Louisiana Constitution guarantees the right to privacy, including Social Security numbers.

Failing to properly protect student Social Security numbers could jeopardize federal funding for the Board of Regents under the Buckley Amendment, he said.

Murray also said those affected could file a class-action lawsuit against the board.

"I think we should be less concerned about what happens to them as much as what happens to the people they have let out -- that's where the real problem is here. I don't think they can ever answer civilly or morally for what they've done," he said.

The data has been taken down, meanwhile, after WDSU-TV brought the breach to the attention of the Board.

"In some ways, we're thankful that you found it because it showed a deficiency in some of our programs, and we were able to stop it, and now we are going to try to mitigate any damage," Commissioner of Education Joe Savoie said.

main page ATTRITION feedback