For over 40 days, the personal information of 688 students and prospective students of UTSA’s Honors College was exposed to unauthorized viewers. The students were not notified until almost two months later.
On Sep. 20, 2011, Richard A. Diem Ph.D., dean of the Honors College, mailed a personal letter to the 688 students stating that there was “an inadvertent exposure of student education records.” An e-mail with the same information was sent to each of the students as well.
The exposure began June 20, 2011, because of a configuration change to the Automated Student Access Program (ASAP), which is used by students and faculty to access information including class schedules, advising information, fiscal services and information on the Honors College.
On Aug. 2, 2011, an employee notified UTSA officials of a potential unauthorized exposure of Honors College student information. The exposure allowed employees, including those who did not have a business need, to view students’ information such as names, dates of birth, addresses, phone numbers, e-mail addresses and GPAs.
According to information reported in an article on the UTSA Today website, “233 records were accessed by unauthorized users. An additional 455 records may have been accessed by unauthorized users; the remaining 4,012 records were not accessed.”
David Gabler, associate vice president for university communications, stated that social security numbers were not visible at any time.
“I want to be very clear that no information was changed. Viewing is very different than having access to change,” Gabler said. He also stated that the exposure was closed down within an hour after it was noticed; an investigation was started and the situation was rectified.
UTSA’s Information Technology department was able to determine who accessed which files and determined that there appeared to be no malicious intent involved in the accessing of the students’ files.
The past 10 years have seen a tremendous change in the amount of data and information that universities store online about students and faculty.
The Family Educational Rights and Privacy Act (FERPA) has set standards for what student educational information is available to the public and what should be done in the case of exposure.
FERPA was enacted by Congress to protect the privacy of students and their parents. FERPA does not protect against disclosing records that have a student’s name but does protect against disclosing a student’s status and educational information.
The university was not required by FERPA or federal guidelines to send a letter or an e-mail to those students who were possibly affected but erred on the side of caution, even though no social security information was exposed.
“When it comes to data and information about students, that is a priority number one here.” President Ricardo Romo has put together a fairly comprehensive task force to look at security issues. “We are doing everything we can to make sure these things don’t happen and when they do, Dr. Romo is very clear that [we] share what we know with the students,” Gabler said.
Gabler can remember only one other incident similar to this exposure in his 15 years of employment at UTSA. “It’s been so long ago that I can’t remember details. Very rare,” he said.
When asked about the breach in security, Honors College student Carolina Canizales, senior Communications major, stated that she worried a little bit about her address information leaking to the public, but other than that she was fairly certain that everything was handled well.
Students trust that when they provide their personal information to the university it will be kept confidential. It appears that the university has held up its end of the bargain. When asked if anyone else should be concerned about the access of his or her information, Gabler said, “We did a double check and a triple check on that, and if you did not get the e-mail or the letter, you can be comfortable that your records were not accessed.”
