Tyler Junior College data leak exposed housing applicants’ Social Security numbers and dates of birth
I’ve occasionally commented that consumers shouldn’t have to go to the media to get a breach or data leak addressed. Neither should students, but that’s what happened this week to Kierra Perry.
Perry applied to Tyler Junior College in Texas. As part of the process, she also applied for housing and completed the background check information. But when she went to verify the status of her application Thursday, using the “A number” userid assigned to her and her login password, she not only saw her documents, but was able to view other applicants’ background check forms, too. Those forms revealed others’ names, addresses, dates of birth, Social Security numbers, Driver’s License numbers with expiration dates, as well as current and previous addresses. There was also a question that asked applicants whether they had ever been convicted of any crime or had charges pending against them. Copies of two applicants’ forms were sent to DataBreaches.net as evidence of the leak, but to protect the students’ privacy, they will not be reproduced here.
Alarmed by what she saw, Perry says she attempted to contact the Housing Administration to alert them to the problem on Thursday, but tells DataBreaches.net she was not allowed to speak with a supervisor and the person she spoke to “did not see any urgency regarding this situation.” She also sent an email to the college’s administration and called them. According to Perry, someone in college administration told her they were aware of the problem. Perry says she also contacted the state’s Consumer Protection Division at the Texas Attorney General’s Office to alert them to the data leak. But no one from TJC responded to her email, and when she checked on Friday by logging in again, the data were still leaking.
“My concern is if I could see their information, who was viewing mine? And why is it that no one notified us once they became aware of the situation?”
Frustrated at the lack of response, Perry contacted DataBreaches.net. As is this site’s policy when there is a live breach, I called the college, told the switchboard operator the nature of the problem, and was put through to the executive offices and then the CIO’s voicemail, where I left a message with my number. I then called the IT Helpdesk, as the CIO’s voicemail suggested for urgent matters. I explained the situation to a member of the IT staff, confirmed that he was immediately escalating the matter to the IT manager, and asked them to call me back to let me know when the data were secured.
Shortly thereafter, Ms. Perry informed DataBreaches.net that the data leak was no longer evident.
No one from Tyler Junior College called DataBreaches.net back yesterday or this morning, however, so we do not know how the breach occurred and whether they intend to contact everyone whose data were exposed. Nor do we know how many applicants’ data were exposed to others or for how long the situation existed. Hopefully, TJC will do the right thing, and local media in Texas might want to follow up with the college to get more details and to find out what they’ve done in response to this breach.
For her part, Ms. Perry has changed her mind about attending TJC as a result of this breach, and has requested that TJC refund the non-refundable $100 application fee because the college failed to secure her information.
“I was very interested in Tyler as my school of choice but now am very concerned on how my information will be shared,” she tells DataBreaches.net.
Her concern is very understandable.