Site reveals student SSNs, grades

A professor removed a file containing more than 90 students’ Social Security numbers, names and grades this week after being informed it could be accessed on the Internet.

Physics professor Frank Lee said he stored the file, which contained information from his class last semester, in a supposedly secure Internet location with files from this semester. He said he believes the Web site became available to the public after he accessed it to add students’ midterm grades this October.

Students in the class could access their grades if they typed in an identification number used for the specific bookkeeping software Lee used. The file was not intended to be seen by anyone other than Lee, officials said.

The Hatchet learned Saturday that students could access the site by performing a Google search of their name or Social Security number. The Web site was inaccessible by Sunday night, according to Hatchet searches.

“Just this one (file) was exposed by a security flaw,” Lee said. “Google is just too powerful.”

“It’s the first time this has happened to me. So we learn from it and I don’t think it will happen again,” he added.

Several students in the class said they were surprised and upset about the situation.

“I guess it’s mainly frustrating because you would think stuff like this never happens,” said sophomore Richard Geer, adding he is looking into changing his Social Security number because of the incident.

Officials said online security breaches happen occasionally. “When things like this happen, we try to correct it as soon as possible,” Chief Technology Officer Guy Jones said.

While some University officials said they did not learn of the security breach until The Hatchet brought it to their attention this week, they addressed the situation immediately.

“Given this event, I have asked the rest of the physics faculty to remove any sensitive files from their Web pages or tell me what extra security measures they have taken,” said William Parke, physics department chair, in an e-mail.

University Registrar Dennis Geyer said he alerted GW’s security administration so officials could share the information with other faculty members who store sensitive materials on internal servers.

He said faculty members sharing students’ Social Security numbers is illegal under the Family Rights and Privacy Act of 1974. GW informs faculty about the significance of the legislation through annual statements, one of which will go out next week and at faculty orientations. Information is also printed on schedules and academic bulletins, and departments hold question and answer sessions at meetings.

Parke said the physics department is also concerned about protecting students’ identities.

“The physics department takes the privacy of student records very seriously,” he said. “We will continue to aggressively act to protect these records, keeping abreast of security issues, while fostering the use of the best technology.”

Officials said GW has been looking into long-and short-term solutions for protecting students’ identities.

Executive Director of Administrative Applications Robyn East said a committee to research GW’s options met throughout the last academic year, but took a break for the summer. She said the former chair is no longer with GW, but a new committee is being formed with a new chair.

Geyer said other universities have taken two to four years to completely switch from using Social Security numbers to random identification numbers.

Senior Vice President for Student and Academic Support Services Robert Chernak said because the University uses Social Security numbers for various purposes, such as GWorld cards and housing, officials would have to figure out how relationships between software in different areas of the University would function.

“There are literally hundreds of systems that are triggered by unique student numbers,” he said.

While officials said students have the option of changing their student identification to a randomly generated number, Geyer said “less than 10″ students have requested to do so since the beginning of the fall semester.

He said,”You have to take responsibility for yourself.”

The Hatchet has disabled comments on our website. Learn more.