126,000 college students and employees notified of breach
The College Center for Library Automation (CCLA), which provides automated library services and electronic resources to Florida’s public colleges, today began informing students, faculty, and staff of six colleges that some of their personal information was inadvertently open to online access between May 29 and June 2, 2010. A copy of the e-mail notification can be seen here (pdf). The press release on CCLA’s web site states:
The College Center for Library Automation (CCLA), which provides automated library services and electronic resources to Florida’s public colleges, today began informing students, faculty, and staff of six colleges that some of their personal information was inadvertently open to online access between May 29 and June 2, 2010. Importantly, while there is evidence of either viewing by unauthorized persons or search engine posting of some of the personal information, CCLA has found no indication that the data has actually been obtained or misused.
The temporarily exposed personal information, as defined by Section 817.5681(5)(a)-(c), Florida Statutes, belongs to perhaps as many as 126,000 individuals at six colleges. CCLA is notifying the potentially affected individuals in writing, recommending that they place a fraud alert on their credit files to minimize the risk of identity theft, and providing instructions on placing the alert. CCLA’s instructions also include information on reporting any suspected fraudulent activity.
The institutions affected are Broward College, Florida State College at Jacksonville, Northwest Florida State College, Pensacola State College, South Florida Community College, and Tallahassee Community College. The records of these institutions were contained in temporary work files that were being processed by CCLA at the time of exposure.
“We pride ourselves on protecting private information and deeply regret this inadvertent exposure. I apologize to those involved for any worry or inconvenience this may cause them,” said CCLA’s Chief Executive Officer Richard Madaus. “As evidenced by our quick response to this incident, CCLA takes the security of personal data very seriously. We will continue to enhance our technology to safeguard all of the information entrusted to us.”
CCLA has determined that the installation of a software upgrade left the personal data unintentionally accessible for five days. CCLA first learned of the error on June 23, 2010, notified leaders of the colleges affected, initiated a security investigation, and began working with the Leon County Sheriff’s Office Financial Crimes Unit. Investigators discovered that some personal information had been accessed by unauthorized persons and that some was available through Google until the search engine was notified. All online access to the sensitive information was removed within 18 hours or less of discovery.
An FAQ on the incident does not specifically state what types of personal information were involved but notes that they were reportable under Section 817.5681(5)(a)-(c), Florida Statutes which says:
For purposes of this section, the term “personal information” means an individual’s first name, first initial and last name, or any middle name and last name, in combination with any one or more of the following data elements when the data elements are not encrypted: (a) Social security number; (b) Driver’s license number or Florida Identification Card number; (c) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
The breach reportedly did not involve any financial information:
The personal information contained in the temporarily exposed records was incorporated into a longer string of alphanumeric information, and was not specifically identified by type of information in any way. The exposed data did not include any personal financial information such as credit card or bank account numbers, or any library usage records.
Hat-tip, Sun Sentinel.