The Social Security numbers, grades and other personal information of more than 40,000 former University of Hawaii students were posted online for nearly a year before being removed this week, The Associated Press has learned.
University officials told the AP that a faculty member inadvertently uploaded files containing the information to an unprotected server on Nov. 30, 2009, exposing the names, academic performance, disabilities and other sensitive information of 40,101 students who attended the flagship Manoa campus from 1990 to 1998 and in 2001.
A handful of students from the West Oahu campus were included in the security breach. UH-West Oahu spokesman Ryan Mielke said there was no evidence that the faculty member acted maliciously or that any of the information was used improperly. The faculty member, who retired from the West Oahu campus in June, was conducting a study of the success rates of Manoa students, and believed he was uploading the material to a secure server.
The university apologized for the incident, saying it was investigating how it happened. It was notifying the former students by e-mail and letters, and has also alerted the FBI and Honolulu police.
"We are troubled (and) determined to notify everyone according to law and committed to do everything possible in the future to prevent this from happening," UH system spokeswoman Tina Shelton said.
The incident is the third major information breach in the UH system since last year. Each time, university officials promised it was strengthening its network systems and working to identify other potential security risks. In the latest breach, UH immediately removed the exposed files and disconnected the server from the network when it was notified of the information breach on Oct. 18 by Aaron Titus, information privacy director of Liberty Coalition, which is a Washington-based policy institute.
Google cleared its caches late Thursday, some 11 months after the information was first put online. "During that time, theoretically, anybody with an Internet connection could have had access to it. How likely that is … is anybody’s guess," said Titus, who discovered the files under a Google search. Titus said the university’s statement that it has no evidence that the personal information was used maliciously was somewhat misleading.
"Of course they don’t have any evidence of misuse, because the bad guys wouldn’t tell them if they had," Titus said. UH President M.R.C. Greenwood has discussed the issue with all the chancellors in the 10-campus system, emphasizing the policy regarding security and protection of sensitive information. UH has setup a call center and website for individuals who may have been affected. Those who might be affected by the breach were advised to obtain a credit report and to review financial statements to look for unusual activities.
The university system’s other major breaches include this summer’s incident involving the personal information of 53,000 people — including 40,000 Social Security numbers — who had business with the Manoa parking office.
Last year, more than 15,000 students at Kapiolani Community College were warned after an infected computer compromised their information on financial aid applications. "There is absolutely no way that we can say this will never happen again, but we are taking every step that’s possible to make sure it doesn’t happen," which includes upgrading security systems and additional training, Shelton said.
Titus said the university could’ve caught the latest mishap much earlier and quickly blocked any access if it regularly scanned its server for personal information, which takes software that’s readily available. "That wheel has been invented at low cost," Titus said.
UH believes problems will lessen with time because of changes in the use of Social Security numbers. The UH system started to phase out Social Security numbers to identify students in 2002. The numbers are still used to identify students from before that time for transcripts and other requests for information.