Data Breaches | News

U Tampa Data Breach Uncovered by Students

• By Dian Schaffhauser
• 04/11/12

A data breach discovered in mid-March at the University of Tampa has pushed the Florida institution to enlist credit reporting agency Experian to monitor the credit records of those affected. The breach encompassed 6,818 students who were enrolled for the fall 2011 semester by July 12, 2011.

A text file containing sensitive information was publicly accessible for about eight months, although the university has found no evidence that anybody's identity details had been abused during that period. The information contained in the file included student identification numbers, social security numbers, names, and dates of birth.

Two other database files were also potentially accessible, but neither had been indexed by Google or any other search engine, the university said. Those files contained similar data as well as photos and held 22,722 individual records.

U Tampa blamed the exposure on a "server management error." According to a statement posted to the school's website, all three files had been created to help resolve a university ID card problem that surfaced when a new server was brought online on the network in July 2011. The information resided on internal servers and wasn't intended to be viewed externally.

"Unfortunately, the text file consisting of current student data was later inadvertently indexed by Google. However, the two database files...were not indexed by Google or any other search engine," the university reported.

The text field had been found and viewed by two university students during an in-class activity exploring search techniques. The students reported their discovery to the university's IT organization, which notified Google in turn. Google removed the cached text file from its search engine. The same two students have viewed the two database files too, and allowed IT staff to search their computers and storage devices to eliminate any vestiges of the files.

"Based on our investigation to date, UT administrators believe there is no risk to students and employees in these two database files," the university reported. However, it added, it would be notifying those individuals whose information was in the Google-indexed file to take appropriate identity protection measures.

To address privacy concerns, the university has taken multiple steps. IT has secured the activity logs that maintain information about individual access to the files involved in the compromise and hired a third-party to assess its findings and review security practices and procedures. It also has set up a "breach verification portal" that allows users to log in with their student access information to confirm whether or not their data was in the exposed text file. The university has also sent paper letters to each of the people in the text file with instructions for signing up for the pre-paid identity protection service, which will monitor credit activities for individuals.

"UT takes this incident very seriously, and UT President Ronald Vaughn has ordered a thorough investigation and is taking aggressive action to make sure it doesn't happen again," the data breach site states. "We are constantly improving security features to avoid exposures and breaches, and, a number of tools and services are used to aid in ensuring that the information, computers and the university network are well protected."