September Data Breaches Hit Kentucky and Florida

• By Dian Schaffhauser
• 10/01/09

Eastern Kentucky University (EKU) in Richmond became the latest institution branded by a data breach when its IT team found a file containing sensitive data that could have been accessed through its public Web site. According to a FAQ posted on the university's Web site, the file contained the names and Social Security numbers and other information for 5,045 faculty, staff, and students on the institution's payroll during the 2007-2008 academic year.

The university said it has no knowledge that the personal information in the file was misused or exploited. Initially posted Sept. 29, 2008, the file was discovered nearly a year later, Sept. 18, 2009 when members of the IT staff performed a Google search.

As quoted in the campus' student newspaper, The Eastern Progress Online, Mona Isaacs, associate vice president of IT, said the file was found "by serendipity." "We were actually searching for something else when we found it," she said.

The file had been posted by a university staff member into a directory containing other public documents, according to the university, in violation of Eastern Kentucky's information security policies and guidelines. "It demonstrates that we must have heightened vigilance in this area," the university said in its FAQ. "EKU is undertaking an institution-wide data inventory initiative and conducting a full review to further improve our policies and practices regarding the security of our confidential data."

Although the file was removed immediately, the university said Google still had pointers to the file which could return "small snippets." Once Google confirmed removal of those pointers, individuals on the list were notified of the breach, five days after discovery. The university said no reports of identity theft have surfaced among those involved.

The university has designated two people in its human resources department to address personnel concerns about the breach and has set up an e-mail address, phone hotline, and Web page to provide additional information.

This incident falls on the heels of two other breaches surfacing in higher education during September.

On Sept. 1, some 100 students at Bluegrass Community and Technical College based in Lexington, KY received letters from the college saying that their names and Social Security numbers had been reported to the police as stolen. According to coverage by WKYT, a news program in the region, the letter contained few details, and school administrators would give no details about the theft, only confirming that it had taken place and that a police report had been filed.

Then the University of Florida in Gainesville reported a privacy breach Sept. 14 after the discovery of an unprotected file containing 34 names and 25 Social Security numbers on a computer in use at the campus. In a news release the university said it believed the personal information belonged to trainers working with the Florida Traffic and Bicycle Safety Education program in 2006. Earlier in the year, the university had informed 97,200 people that a hacker had broken into a legacy application and may have taken social security numbers of campus community members present and past.