University faces lawsuit after security breach

Data breaches are prompting some universities to rethink their use of personal student information.

Data security breaches have plagued colleges and universities for years, and now a former student at the University of Hawaii (UH) has sued the school for negligence in a case that could change how colleges and universities handle data going forward, some experts say.

Philippe Gross, a former student, filed a class-action lawsuit against UH on Nov. 18, after news leaked that sensitive information—including the Social Security numbers of more than 40,000 former UH students—was posted online for almost a year before being removed in October. The lawsuit is believed to be the first of its kind.

“UH did not step up and offer credit monitoring, identity theft insurance, all the things they could’ve done to assist students and faculty,” Thomas Grande, Gross’s lawyer, told the Honolulu Star-Advertiser when the lawsuit was filed.

University officials told the Associated Press that a faculty member inadvertently uploaded files containing the information to an unprotected server on Nov. 30, 2009, exposing the names, academic performance, disabilities, and other sensitive information of 40,101 students who attended the flagship Manoa campus from 1990 to 1998 and in 2001. A handful of students from the West Oahu campus were included in the security breach as well.

Dr. Timothy Kaye, a law professor at Stetson University College of Law, said this is the first time he is aware of a student filing a lawsuit against a university over a data security breach.

The lawsuit raises many technical questions, Kaye said.

“Do they need to keep this data on networked machines?” he said of school officials. “It should make people consider whether everything needs to be networked as much as it is.”

The lawsuit also might prompt colleges and universities to examine how much personal data they collect and store.

“It may be that they need [this information] temporarily, but then could destroy it,” he said. For instance, a university might require an applicant’s Social Security number for admission and financial aid purposes, but the university could then use a randomly assigned number for student identification if that student enrolls at the university.

Many colleges and universities already are paying more attention to how personal student information is stored and used, and the lawsuit now facing UH could cause more schools to examine their own practices, Kaye said, adding: “I think that a lot of these things should be rethought.”

UH-West Oahu spokesman Ryan Mielke said there was no evidence that the faculty member acted maliciously or that any of the information was used improperly. The faculty member, who retired from the West Oahu campus in June, was conducting a study of the success rates of Manoa students and believed he was uploading the material to a secure server.

The university apologized for the incident, saying it was investigating how it happened. It notified the former students by eMail and letters and also alerted the FBI and Honolulu police.

“We are troubled [and] determined to notify everyone according to law and committed to do everything possible in the future to prevent this from happening,” UH system spokeswoman Tina Shelton said.

The incident is the third major data security breach in the UH system since 2009. Each time, university officials promised they were strengthening the school’s network systems and working to identify other potential security risks.

In the latest security breach, UH immediately removed the exposed files and disconnected the server from the network when it was notified of the security breach on Oct. 18 by Aaron Titus, information privacy director of Liberty Coalition, which is a Washington, D.C.-based policy institute.

Google cleared its caches late on Oct. 21, some 11 months after the information first was put online.

“During that time, theoretically, anybody with an internet connection could have had access to it. How likely that is … is anybody’s guess,” said Titus, who discovered the files from a Google search.

Titus said the university’s statement that it has no evidence that the personal information was used maliciously was somewhat misleading.

“Of course they don’t have any evidence of misuse, because the bad guys wouldn’t tell them if they had,” Titus said.

UH President M.R.C. Greenwood has discussed the issue with all the chancellors in the 10-campus system, emphasizing the university’s policy regarding data security and protection of sensitive information.

UH set up a call center and website for individuals who might have been affected. Those who might be affected by the breach were advised to obtain a credit report and to review financial statements to look for unusual activities.

The university system’s other major security breaches include an incident last summer involving the personal information of 53,000 people, including 40,000 Social Security numbers, who had business with the Manoa parking office. And in 2008, more than 15,000 students at Kapiolani Community College were warned after an infected computer compromised their information on financial aid applications.

“There is absolutely no way that we can say this will never happen again, but we are taking every step that’s possible to make sure it doesn’t happen,” which includes upgrading security systems and additional training, Shelton said.

Titus said the university could’ve caught the latest mishap much earlier and quickly blocked any access if it regularly scanned its server for personal information, which takes software that is readily available.

“That wheel has been invented at low cost,” Titus said.

UH believes its problems will lessen with time because of changes in the use of Social Security numbers. The UH system started to phase out Social Security numbers to identify students in 2002. The numbers are still used to identify students from before that time for transcripts and other requests for information.

In mid-November, the Liberty Coalition released a report on the security breaches of personal information in the state of Hawaii. The report was written at the request of Hawaii State Senator Mike Gabbard, and it analyzes the underlying causes of all documented Hawaii breaches since 2005. A follow-up report, expected in January, will outline legislative solutions to the problems identified in this report.

Sign up for our newsletter

Newsletter: Innovations in K12 Education
By submitting your information, you agree to our Terms & Conditions and Privacy Policy.

Laura Ascione
Latest posts by Laura Ascione (see all)

Comments are closed.

Sign up for our newsletter

Newsletter: Innovations in K12 Education
By submitting your information, you agree to our Terms & Conditions and Privacy Policy.