Texas A&M Accidentally Posted Students and Faculty SSN’s Online

Texas A&M University Logo

Texas A&M may have compromised the personal records of approximately 5,000 graduate students and university faculty members by accidentally making their personal information public, including Social Security numbers.

On Friday, March 13, the Bryan-College Station campus newspaper, The Eagle, reported on the colossal privacy breach that the university discovered on March 8.

It happened when the Semester Teaching Analysis Report (STAR) posted online on February 13 and was visible to all, although according to the report, it was only accessed by 33 people. The Eagle noted this was “a little less than half of whom did not have university IP addresses.”

The publicly released data of 4,697 faculty and graduate assistants who taught at the university during the Fall 2014 semester included not only Social Security numbers but equally identifiable information — first and last names.

“Texas A&M University takes the security of personal data seriously. We are diligently addressing an incident in which the names and Social Security numbers of faculty members and graduate students were inadvertently made viewable from a departmental website,” said Shane Hinckley, the university’s interim President of Marketing and Communications, in a statement.

Another university official, Joseph Pettibon, Associate Vice President of Academic Services, said in a statement that Texas A&M took swift action upon discovering the error including the immediate removal of the data and notifying those that were impacted. Pettibon did not believe any fraudulent activity occurred as a result of the incident.

According to The Eagle, details of the “mistake” were described in a subsequent email that explained how the Texas Higher Education Coordinating Board requires the teaching report to be submitted with names and Social Security numbers. Before the report was published online, according to the email, Social Security numbers were supposed to be replaced with ID numbers. “In this instance, that change did not occur,” the email stated.

Texas A&M is providing free identity monitoring to those affected for a year. They are also reviewing how to prevent this sort of mistake from reoccurring in the future.

This is not the first time such a mistake happened. In 2012, the university experienced a breach that affected nearly 4,000 former students who graduated before 1985 and requested copies of their transcripts, according to the Houston Chronicle.

At the time, Pierce Cantrell, Texas A&M’s Vice President and Associate Provost for Information Technology, said, “Even though we believe this incident puts these former students at low risk of identity theft, we will notify those individuals affected, as required by university rules and state laws.”

Cantell added, “We deeply regret this happened, and have taken immediate action to restrict access to this file.”

He acknowledged that the data breach was the unfortunate result of when an employee in the registrar’s office accidentally sent the attachment to just one person, a student or former student who had requested a transcript.

“Twenty years ago, we weren’t very sensitive about Social Security numbers — we used to put them on our resumes,” he said. “But since identity theft has been rising, especially in the last 10 years, we’ve been very careful about protecting them.”

A similar incident at the University of Chicago exposed the Social Security numbers and other personal information including names, employee identification numbers, online usernames, email addresses, sex and marital status.  This affected 2,024 current and former employees and students in their Department of Medicine, which Yahoo! Finance reported on March 10.

Likewise, letters were sent to those individuals impacted offering a year of free credit monitoring services, an action that is considered “standard procedure when it comes to data breaches these days,” the article stated also noting that victims should be aware that the risk of fraud does not end when the free credit monitoring stops.

In February, the Maine Campus, the student newspaper of the University of Maine, reported that a data breach impacted 941 alumni and current students.  This incident was the result of a faculty member’s laptop and media card that were reported stolen.

Data breaches like happened at Texas A&M is only one type of online security threat that plague college campuses. Last year, Forbes looked at the cyber dangers that students should be aware of before they leave for college.

They called college campuses a “hotbed for security incidents and a playground for hackers” because of their complex mix of users, private and public areas, secure and open networks and the vast amount of personal and intellectual property data bouncing around them,” according to Alcatel-Lucent Enterprise IT education specialist Neal Tilley quoted in the article.

Forbes listed phishing, ransomware, and malware as the top college cyber security threats, followed by password related cyber crime, wi-fi security, online “card not present” transactions, and portable “Bring Your Own Device” (BYOD) technology that connects to social media and university technology.

According to the Christian Science Monitor, 47 data breaches occurred nationwide in 2013-14 between K-12 and higher education. Since 2005, 718 breaches were recorded across the country.

Follow Merrill Hope on Twitter @OutOfTheBoxMom.