Univ. of Tampa Breach Affects 30,000Social Security Numbers Exposed
A server management error caused a data breach at the University of Tampa that affected nearly 30,000 students.
In a statement posted to its website, the university explains that a text file was exposed via the university's website from July 12, 2011 through March 13, 2012. Also, two databases on the university's internal servers were potentially accessible through the school's network, but were not indexed by Google or any other search engine.
The university's office of information technology was informed about the first exposed text file on March 13, after the compromised file was discovered during an in-class exercise using the university's lab computers. The file contained 6,818 records of students who were enrolled for the fall 2011 semester by July 12, 2011. Information contained in the file included name, university identification number, Social Security number and date of birth.
So far, there's no evidence the text file has been used maliciously, the university says. The text file had also been cached by Google in its search engine and was quickly removed; Google verified the removal once it was completed.
The university later learned during its investigation that two databases containing information on 22,722 students also were exposed. The databases contained student names, university identification numbers, Social Security numbers and photographs.
Upon investigating associated logs for the databases, the IT department learned that one student accessed the database files on March 13, who, along with another student, made the initial report to the university about the exposed files.
"Those students met promptly with university representatives and allowed IT staff to search the computer and storage device to ensure the database files were eliminated. Based on our investigation to date, UT administrators believe there is no risk to students and employees in these two database files," the statement explains.
The university is notifying only the 6,818 students whose information was cached in the Google search engine, and is offering to pay for credit monitoring services for those who choose to enroll. The statement did not indicate for how long the credit monitoring service would be paid.
In a letter to alumni, the university stated, "Based on our investigation to date, UT administrators believe there is no risk to former students and employees in these two database files. The data breach only impacts students enrolled for Fall 2011 by July 12, 2011."
An investigation into the incident is ongoing, and the university will review its current information security policies and practices, according to the statement. The university also is evaluating a third-party proposal to review information technology security and procedures.