Jim Turner reports:
An information security breach has been reported involving employee and student records at Northwest Florida State College in Niceville.
[…]
According to the state Department of Education, the breach included more than 3,000 employee records and approximately 76,000 Northwest College student records containing personal identification information; and approximately 200,000 records with information including names, Social Security numbers, dates of birth, ethnicity, and gender for students across the state who were eligible for Bright Futures scholarships for the 2005-06 and 2006-07 school years.
Read more on Sunshine State News.
The college has set up a web site for the breach. According to their update today:
The NWFSC student information compromised in the security breach contains public directory information including name and address, as well as confidential student data including birth date and Social Security number. The Bright Futures scholars’ data file includes all State of Florida Bright Futures eligible students during the 2005-06 and 2006- 07 academic years. This data file contains student names, Social Security numbers, dates of birth, ethnicity and gender. No student academic files have been compromised.
The college reports that the breach was discovered following an internal review conducted between October 1 – 5 after the college started receiving reports from employees of fraud. Even the college’s president became a victim.
In a memo to employee sent on October 8 via e-mail, the college informed them:
We know from May 21, 2012 until September 24, 2012 one or more hackers accessed one folder on our main server. This folder had multiple files on it. No one file had a complete set of personal information regarding individuals. However, by working between files, the hacker(s) have been able to piece together enough information to be able to engage in the theft of identity of at least 50 employees.
We know by working between files data regarding Name, Social Security Number, Date of Birth, and Direct Deposit Account numbers were accessed. Additional directory information such as address, phone numbers, college email address, etc. was also likely compromised.
We know three specific mechanisms have been used to engage in identity theft. The first is to use PayDayMax, Inc. as a conduit for taking out a personal loan which is repaid by debiting your bank account. The second is the same process using Discount Advance Loans. The third is to apply for a Home Depot Credit Card in an employee’s name and then use that card.
We know current employees and all retirees/past employees since 2002 that have had direct deposit of their pay have the potential to have had their information compromised.
The college says that the system has now been secured.
Kudos to the college for doing a terrific job of notifying employees promptly and issuing timely updates as they learn more.
[The NWFSC student information compromised in the security breach contains public directory information including name and address, as well as confidential student data including birth date and Social Security number.]
DOB is directory information, not confidential, isn’t it?
Many schools do not include DOB as directory info, because the “Directory Information” is defined as elements of the education records that would generally not be considered an invasion of privacy. That said, schools are allowed to define “Directory Information,” so some schools, like Clemson, disclose – without consent – a slew of information (see http://www.registrar.clemson.edu/ferpa/directoryInfo.htm for Clemson’s definition).
Learned something new. Hadn’t thought about it that way. thanks.
Terrible breach. SSN, ethnicity & gender.
[Information including names, Social Security numbers, dates of birth, ethnicity, and gender for students across the state who were eligible for Bright Futures scholarships for the 2005-06 and 2006-07 school years]
Wow, just looked at Clemson’s directory information.
http://www.registrar.clemson.edu/ferpa/directoryInfo.htm
Learned some more about FERPA.
I don’t want to single out Clemson – it was just a convenient example of how much info can be disclosed without consent under FERPA. NWFLSC’s policy/definition is: