tbo: Tampa Bay Online.
Saturday, Nov 18, 2017
  • Home
News Roundup

Data breach hits University of Tampa students

TAMPA - One breach left the Social Security numbers and dates of birth of more than 6,800 University of Tampa students from the fall semester in public view of anyone armed with a computer. Two other breaches — affecting nearly 30,000 individual records — exposed the same kind of information involving faculty, students and staff members who had been at the university between January 2000 and July 2011. The trio of errors has students at the downtown university worried and school officials scrambling to control the damage from what was discovered accidentally by a class this week doing an advanced Google search. "I’m not sure I can find words to express how worried they should be," said Cpl. Bruce Crumpler, who works in the economic crimes division of the Hillsborough County Sheriff’s Office. "I think they should be very concerned."
Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse in San Diego, agrees. "This would be categorized as a major and critical breach because of the nature of the information," he said. "Anytime Social Security numbers are involved, particularly in connection with dates of birth, those are the keys to the kingdom for an identity theft." Criminals can take out a credit card, start a cellphone contract and even buy a house or file taxes with a stolen identity. "It’s a very, very serious breach," Stephens said. Donna Alexander, vice president of information technology for the university, described the risk to students as minimal, however. She said breaches such as what occurred at UT are common. That doesn’t make Michelle Obos feel any less concerned. The freshman from Illinois worries that someone might have information about her that could lead to trouble. Her name. Her date of birth. Her student identification number. Even her Social Security number. They were all out there — available through a Google search — for months because of a university error. University officials told students this week that much of their vital information had been breached by what they called a "server management error." "It’s scary because of all the identity theft going on these days," Obos said Friday afternoon. "It makes me wonder who got ahold of my information." In the hands of the wrong person, Obos said, there could be credit cards out there with her name on them linked to her Social Security number. "That’s so creepy," she said. "I would have no idea." The files were available to the public for viewing from July through the day the class found them on Tuesday, Alexander said. The six or seven students — university officials are not releasing the name of the class — were astonished at what they found. The students told their professor, who then told them to report the matter to the information technology office. "We took immediate action to take the files down so they would not be accessible any longer," Alexander said. "We know the exposure is somewhat limited, but we are certainly concerned about any exposure whatsoever." While university officials say the "sensitive information was displayed as a string of numbers that would not be immediately obvious to a casual viewer," some officials say it is not the casual viewer that people have to worry about. "You are concerned about the hacker and the ID thief," Stephens said. "They are the ones who are going to be utilizing procedures to translate this sort of information." University officials said they can tell that the fall student records were accessed "more than a couple of times" by people outside the class. They believe the larger group of records was seen only by the class. The university will pay for each potentially affected person to sign up for fraud-alert services. Letters will be sent telling people how to take advantage of the program. The school also will evaluate its systems to make sure such personal information is not readily available again. This was a case of human error, Alexander said, though she refused to say if anyone was facing discipline. "In this case there was a situation where the protective measures for that particular directory were not as tight as they should have been," Alexander said. "It’s kind of like putting locks on your door at home. You can add locks and bolts and do different things that will make it safer or better against new threats," she added. "But in any situation can you completely and totally lock everything down? The answer is no. That’s true across the board. It’s not unique to higher education." According to UT, quoting statistics from Privacy Rights Clearinghouse, 16 schools across the country have had data breaches this year. Since 2005, there have been 600 data breaches nationwide involving more than 9 million records, the university added. Those numbers don’t minimize the UT situation, according to Stephens of the San Diego group. "Every breach, particularly one that involves Social Security numbers, is a serious matter for the individuals whose information has been impacted," he said. "It doesn’t make this particular incident any less serious." rshaw@tampatrib.com (813) 259-7999
Weather Center

10Weather WTSP