When Bari Dzomba, an alumnus of The College of New Jersey (TCNJ), received a postcard this week about a new outreach campaign to alumni, she went and checked out the new site. To her dismay, she discovered that the new site was leaking alumni personal information. She contacted the college, but when, after two days, the site was still not adequately secured, Dzomba, a Senior IT Project Consultant, contacted DataBreaches.net.
Exploration of the site, which went ‘live’ a few days ago, confirmed Dzomba’s concerns. By entering an alumnus’ name in the url http://firstname.lastname.connect2tcnj.com/connect2tcnj.com, anyone could see the personal information of those who had responded to the campaign. A Google search for TCNJ alumni revealed lists of names, some of which this site tested. In some cases, I could see the individual’s name, address, telephone number, zip code, date of birth, marital status, maiden name, name of spouse, name of employer, job title, work e-mail address, and business telephone, if they had entered it. No login or password was required. The configuration also allowed anyone who accessed an alumnus’ page to edit or alter the information, with no password required. No Social Security numbers or financial information was included in the form.
DataBreaches.net made several calls and left several messages for TCNJ personnel concerning the leak, and delayed publishing this until the site was secured. By late this afternoon, the url was no longer working and attempts to connect to the outreach campaign site led only to a subscription form for a mail list.
According to Matthew Golden, Executive Director of Public Relations & Communications, the college had contractual language with the vendor, Pursuant, about ensuring the privacy and security of the data, and they had called the vendor after getting the report of the leak from their alumnus. In a statement to DataBreaches.net, Golden said, “We absolutely take the security of our alumni very seriously. As soon as we learned about the problem, we acted as quickly as possible to rectify the situation.”