Almost 280,000 to be notified of hack at Northwest Florida State College; ID theft reported

Jim Turner reports:

An information security breach has been reported involving employee and student records at Northwest Florida State College in Niceville.

[…]

According to the state Department of Education, the breach included more than 3,000 employee records and approximately 76,000 Northwest College student records containing personal identification information; and approximately 200,000 records with information including names, Social Security numbers, dates of birth, ethnicity, and gender for students across the state who were eligible for Bright Futures scholarships for the 2005-06 and 2006-07 school years.

Read more on Sunshine State News.

The college has set up a web site for the breach.  According to their update today:

The NWFSC student information compromised in the security breach contains public directory information including name and address, as well as confidential student data including birth date and Social Security number. The Bright Futures scholars’ data file includes all State of Florida Bright Futures eligible students during the 2005-06 and 2006- 07 academic years. This data file contains student names, Social Security numbers, dates of birth, ethnicity and gender. No student academic files have been compromised.

The college reports that the breach was discovered following an internal review conducted between October 1 – 5  after the college started receiving reports from employees of fraud.  Even the college’s president became a victim.

In a memo to employee sent on October 8 via e-mail, the college informed them:

We know from May 21, 2012 until September 24, 2012 one or more hackers accessed one folder on our main server. This folder had multiple files on it. No one file had a complete set of personal information regarding individuals. However, by working between files, the hacker(s) have been able to piece together enough information to be able to engage in the theft of identity of at least 50 employees.

We know by working between files data regarding Name, Social Security Number, Date of Birth, and Direct Deposit Account numbers were accessed. Additional directory information such as address, phone numbers, college email address, etc. was also likely compromised.

We know three specific mechanisms have been used to engage in identity theft. The first is to use PayDayMax, Inc. as a conduit for taking out a personal loan which is repaid by debiting your bank account. The second is the same process using Discount Advance Loans. The third is to apply for a Home Depot Credit Card in an employee’s name and then use that card.

We know current employees and all retirees/past employees since 2002 that have had direct deposit of their pay have the potential to have had their information compromised.

The college says that the system has now been secured.

Kudos to the college for doing a terrific job of notifying employees promptly and issuing timely updates as they learn more.

About the author: Dissent

5 comments to “Almost 280,000 to be notified of hack at Northwest Florida State College; ID theft reported”

You can leave a reply or Trackback this post.
  1. Sheila - October 10, 2012

    [The NWFSC student information compromised in the security breach contains public directory information including name and address, as well as confidential student data including birth date and Social Security number.]

    DOB is directory information, not confidential, isn’t it?

    • admin - October 10, 2012

      Many schools do not include DOB as directory info, because the “Directory Information” is defined as elements of the education records that would generally not be considered an invasion of privacy. That said, schools are allowed to define “Directory Information,” so some schools, like Clemson, disclose – without consent – a slew of information (see http://www.registrar.clemson.edu/ferpa/directoryInfo.htm for Clemson’s definition).

      • Sheila - October 10, 2012

        Learned something new. Hadn’t thought about it that way. thanks.

        Terrible breach. SSN, ethnicity & gender.

        [Information including names, Social Security numbers, dates of birth, ethnicity, and gender for students across the state who were eligible for Bright Futures scholarships for the 2005-06 and 2006-07 school years]

  2. Sheila - October 10, 2012

    Wow, just looked at Clemson’s directory information.

    http://www.registrar.clemson.edu/ferpa/directoryInfo.htm

    Learned some more about FERPA.

    • admin - October 11, 2012

      I don’t want to single out Clemson – it was just a convenient example of how much info can be disclosed without consent under FERPA. NWFLSC’s policy/definition is:

      Although the following directory information may be released at the discretion of the college, the college does not routinely release such information to third parties: name, address, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, photographs, dates of attendance, enrollment status, degrees and awards received, and the most previous education agency or institution attended. In addition to directory information, the college is required by law to release to the United States Armed Forces student recruiting information which may include the student’s name, address, phone number, date and place of birth, level of education, most recent previous institution attended, major field of study, and degrees received.

Comments are closed.