UI students' information mistakenly put on Web
URBANA – The Social Security numbers of some University of Illinois students were posted on a Web site for about six weeks in January and February.
The Department of Computer Science inadvertently posted the names, Social Security numbers and UI identification numbers of some of its students on its departmental Web site. The posted file did not contain the Social Security numbers of all the students listed, but it did contain the UI identification number for all of them.
"We are not very proud when it happens to us," said Computer Science Department head Marc Snir. "Safety is something we are concerned about and we are teaching. When we are not following our own teaching, we are not very happy."
"We're taking it very seriously," he added. "We really want to make sure it doesn't happen again."
That effort includes hiring an information security officer who will be responsible for maintaining all information security within the department. Previously, Snir said, that responsibility was spread among several people in the department.
"That was probably one of our mistakes," he said.
Snir said the Computer Science Department is also requiring training in the handling of personal information for all its faculty and staff.
The Web page with the numbers was accessed during the time it was posted, but there have been no reports of identity theft or other inappropriate use of the numbers, said UI spokeswoman Robin Kaler.
The file was posted to the site on Jan. 6 and removed on Feb. 20, after a friend of one of the students saw it and reported it to the student, who in turn notified UI administrators.
"An Excel spreadsheet was posted to a Web site in the course of someone's job duty," Kaler said. "The person who made the posting mistakenly believed the Web site was a restricted access area only."
Kaler said the students affected were enrolled in the Department of Computer Science for the spring and fall semesters of 2004 and 2005. Social Security numbers were posted only for students enrolled in the spring 2004 semester, and for only a portion of those students.
The file had other personal information, such as gender and ethnicity, and it was collected to calculate aggregate demographic statistics for the department, such as student retention or time to graduation.
Kaler would not say how many students had their information posted on the Web site, whether they were undergraduate or graduate students, or what percentage of the total number of computer science students were affected.
"We're trying to do everything we can to ensure their identities are not further compromised," Kaler said. "If someone thinks they have some information, we don't want to do anything to help them be able to use it."
The UI contacted Google – the only search engine through which the file was accessed – and asked it to remove the cached document, and officials contacted other search engines to ensure they didn't have any copies of the file. They also reviewed access to the department's Web site. The UI sent letters to all the students affected, some of whom are no longer at the UI, explaining what happened and what the UI is doing to ensure it won't happen again.
"Some people were worried about future abuse, with knowing their number was compromised for some period of time," Kaler said. "Those folks we've directed to resources that help you monitor and detect problems and help solve them if they happen."
She said they were also concerned about what information might be accessed with their UI identification numbers. She said the number is relevant only for processes within the university, and access to it alone won't allow someone to obtain personal information about a student.
The computer science department is working with UI administrators to help other units understand the problem and take steps to prevent it, Kaler said.