Campus Security

Outside Company Uncovers New Mexico State Data Exposure

• By Dian Schaffhauser
• 03/12/10

A company that monitors the Internet for unauthorized exposure of information recently informed New Mexico State University that data about 300 students had appeared on a computer unaffiliated with the university. Tiversa, a risk mitigation company, notified the institution that it had detected information, including Social Security numbers, related to New Mexico State students on a computer with peer-to-peer file sharing software.

The university contracted with the vendor to determine the type of data exposed and the extent of that exposure, according to Shaun Cooper, associate vice president and CIO. "Through our investigation with Tiversa, we learned that a faculty member teaching a course in 2006 had transferred a student data file for course reporting purposes to a teaching assistant's laptop via e-mail. After the teaching assistant left [the university] in 2007, peer-to-peer file sharing software was installed on the teaching assistant's laptop. Eventually, the student data file was accessed via the file sharing software, without the computer owner's knowledge."

The university contacted the former teaching assistant, who deleted the file from the laptop, Cooper said. It also issued a cease-and-desist letter to the owner of the computer to which the file had been transferred. "The order legally forbids the computer owner from possessing the file that contains the NMSU students' information," Cooper said.

New Mexico State also sent letters to the students whose data may have been compromised and provided them with information about actions they could take to deal with identity theft.

In the years since that data was taken off campus, New Mexico State has implemented several measures to safeguard the personal information of students, faculty, and staff including: the elimination of Social Security numbers from daily business transactions with students; doing more security training with staff and faculty; implementing policies such as requiring that university data be deleted from personal computers when faculty, staff, and students leave NMSU employment; and prohibiting New Mexico State data from being stored on portable or removable electronic media.

"Along with NMSU's faculty and administration, I sincerely regret this incident of unauthorized student data exposure," Cooper said. "We want to assure the entire university community that we place the highest priority on safeguarding all personal information and that we will continue to upgrade our technology and evaluate our policies to make sure that personal data remains secure."