Data Security Lapse Exposes Info of 7,500 UMW Students

A lapse in information security procedures at the University of Mary Washington left personal information of more than 7,500 students exposed on an internal university computer network. 

A data file containing sensitive information, such as student names, social security numbers and dates of birth, was accidentally posted to a university department site on the EagleNet intranet, a network accessible only to those with UMW email accounts. Despite the vulnerability of the data file, network logs show that the files were only accessed by three students innocently searching for their own information, say university officials.

UMW alerted faculty, staff and students of the security lapse in messages as early as June 3, nine days after the data file was discovered. Staff at the university public affairs office are declining to identify the department or individual responsible for posting the data file. 

"It's immaterial who posted this particular information," said George Farrar, director of communications at UMW. "We want everyone to take notice that it's everyone's responsibility to maintain the proper degree of access to that type of information."

A memo to faculty and staff sent in the wake of the data security lapse asked employees to review the school's information security policies. 

Farrar says that the snafu was discovered on May 23 by a student who was searching for his own information on EagleNet. The data file contained information for a total of 7,566 students. In addition to sensitive identity information the data file also contained directory information for internal use within the university administration. Farrar did not have on hand information about how long the data files were exposed. 

"The student proactively and responsibly reported this fact to university officials and immediate steps were taken to prevent further access to this information and to remove the files from the departmental EagleNet site," read a memo to faculty and staff on the incident. 

University staff spoke with the three students who had accessed the files and determined that the students had no malicious intent and the information wasn't used for identity theft. 

Despite this, a memo sent to students provided contact information for the three major credit bureaus so that students could review their credit histories.