POSTED: 1:30 a.m. HST, Oct 30, 2010
A faculty member at the West Oahu campus apparently inadvertently uploaded personal information of 40,101 students to the Web. The information belongs to students who attended the West Oahu campus from 1988 to 1993, and Manoa students from 1990 to 1998 and in 2001.
The information was posted by a now-retired Institutional Research Office faculty member at 2:46 p.m. Nov. 30, 2009.
Everything from a student's Social Security number and citizenship to the highest level of education attained by parents, marital status and addresses were available online until Oct. 18, when the Liberty Coalition in Washington, D.C., discovered the information through a Google search.
"The part that really disturbed me is when he was asked, 'Why did you move it to this server?' his answer was, 'Because I didn't have enough room on my home computer,'" said Aaron Titus, an attorney and the coalition's privacy director.
IF YOU'RE AFFECTEDThe University of Hawaii has set up a website and call center for people who believe they are affected by the security breach. Visit www.uhwo.hawaii.edu/idalert or call 956-6000 from 8 a.m. to 4:30 p.m. on weekdays.
NationalIDWatch.org is also holding a conference call for UH alumni, explaining the details of the investigation and to answer questions. It will be Wednesday at 10:30 a.m. Call 610-214-0200 and enter access code 863597#.
UH-West Oahu spokesman Ryan Mielke said there is an ongoing internal investigation, but the school does not suspect the retired faculty member acted out of malice.
The faculty member was trying to update a previous study he had done on why students drop out of college.
Titus said the faculty member thought the File Transfer Protocol server was secure because it prompted him for a user name and password. The information was taken offline by UH hours after Titus alerted the university, and Google removed the information from its cache Thursday evening.
It is a well-worn scenario seen in universities across the nation, he said. Faculty often misunderstand the technology and unwittingly upload information they believe to be secure.
Titus said he often searches for possible violations of privacy online. The Liberty Coalition sponsors NationalIDWatch.org, which provides free identity exposure reports as a public service.
The largest security breach Titus has found was Florida's Agency for Workforce Innovation, which posted about 250,000 names and Social Security numbers online in October 2008.
The second largest was in June 2007 at the Louisiana Department of Education, where Titus found personal information of about 200,000 people in the state.
Titus said he often approaches his searches like a "lazy identity thief." He does a Google search for "Social Security number," punches in a generic first name and sees what comes up.
Titus said Hawaii could have avoided the breach if it had used software, such as Identity Finder, that could scan its servers for any uploaded personal information.
"We are investigating both commercial and open-source software options for scanning for sensitive information," said David Lassner, UH vice president for information technology.
UH has been phasing out using Social Security numbers to identify students since 2002. The information technology department also has been training faculty about university policies and on protecting sensitive information.
Since his discovery, Titus has been working with UH officials on addressing the problem. This is the third such security breach from the university since 2009.
In July the university announced that there was unauthorized access to a computer server with information on more than 53,000 people who did business with the Manoa campus parking office.
In May 2009 more than 15,000 students who applied for or were granted financial aid at Kapiolani Community College had their information compromised due to a computer being infected by malware.