128 students' social security numbers exposed on Web site

November 16, 2007

By Adrianne Deweese


K-State's Office of International Programs and International Student Center are notifying 128 international students that their Social Security numbers were exposed through a K-State Web site.

The students, who were in the English Language Program, had their information "inadvertently exposed" through a K-State Web site that started with a routine server upgrade in November 2006 that extended about one year, according to a Media Relations and Marketing press release Thursday.

Only international students were affected because the exposed Social Security numbers came from test scores on the English language proficiency test, said Lynn Carlin, interim vice provost for Information Technology Services. All data has been removed from the Web site.

"We don't have any evidence that the students' information has been misused," she said.

Carlin said the server was not an international program server, but it was managed through K-State's Computing and Telecommunications Services, which is a division within Information Technology Services. She said the server was "inadequately security controlled."

She said it is unknown at this time how the situation went unnoticed for one year. Harvard Townsend, university information technology security officer, is investigating the situation, which will be completed within one week, Carlin said.

"We're still completing the incident investigation," she said. "The investigation is ongoing. Our first focus was identifying any students whose numbers could have been exposed."

Carlin said she was notified of the situation Nov. 6, and since then, she said university officials have worked to confirm the security lapse.

"A lot of the work in the last week has been with OIP and ISC making sure the students were notified and provided with proper support," Carlin said. "Now that that is moving forward, the focus will be on the investigation."

"We felt it was very important to notify the students once it was confirmed that 128 students were affected. We wanted to move that forward and not wait until the investigation was complete."

Letters were mailed to all 128 students Wednesday about the situation, said Cheryl May, assistant vice president for university relations and director of Media Relations and Marketing. It is unknown at this time how many of the students still are enrolled at K-State, she said.

The letter informs students about steps they can take to protect themselves through credit bureaus like Experian, Equifax and TransUnion.

"If your information has been exposed, you are entitled to a free copy of your credit report," May said.

May said 1,244 international students enrolled at K-State in fall 2007.

Ken Holland, associate provost for international programs, said advisers at the International Student Center will contact students involved to set up an information meeting and answer their questions, according to the media release.

K-State's Office of International Programs declined to comment on the situation Thursday afternoon.

May said international students who have questions about the situation can contact Maria Beebe, assistant director of the International Student Center, at pappy@k-state.edu or (785) 532-6448. Beebe declined to comment on the situation Thursday afternoon.

K-State started the elimination of Social Security numbers as a form of identification in fall 2006 by removing them from K-State ID cards and implemented Wildcat ID numbers, Carlin said.

"By fall 2008, we will have the ISIS system that will no longer rely on the SSN as a student ID," she said. "The SSN will no longer be used as a student ID anywhere (at K?State)."

main page ATTRITION feedback