Personal data from 12, 000 York Tech applicants may have been exposed

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.thestate.com/2013/05/07/2760730/personal-data-from-12000-york.html

ROCK HILL, SC — The names, Social Security numbers and driver’s
license numbers of more than 12,000 online student applicants at York
Technical College might have been exposed, school officials said
Tuesday.

And it was one of the applicants who discovered the problem and
brought it to the college’s attention.

An online admissions system used from January 2012 to April 2013 was
at risk, officials said. The college has shut down the system, they
said, and no other computer systems were affected.

The school said it has no evidence of any “malicious access.”

York Tech has notified the applicants of the exposure. A letter to
applicants contains steps that can be taken to protect their personal
information and obtain one year of free crediting monitoring services.

A new online admissions system is being developed, college officials
said, and should be in place by Friday, followed by a “more robust”
system scheduled for use in the fall.

York Tech has hired a security consultant to evaluate the old online
system and recommend any additional safeguards.

The cost of hiring the consultant, paying for credit monitoring and
providing other services could reach $100,000, which would come from
the college’s contingency fund.

York Tech President Greg Rutherford said the applicant who discovered
the problem used a computer tool that would allow him to make changes
to the online system and “potentially view data.”

The applicant contacted the college April 16 about the vulnerability.

Rutherford declined to release the person’s name, saying he was not a
college employee or a current student. He said the person, who he
identified as someone experienced in information technology, wants to
come to York Tech to add to his computer certification, possibly this
summer or fall.

The online application system was developed internally by York Tech
and has been in use since 2005, Rutherford said. The school selected
January 2012 as the earliest notification because the system had been
purged of data before then.

York Tech has notified the state Department of Consumer Affairs about
the problem. Since there is no evidence of criminal activity,
Rutherford said, no law enforcement agencies have been notified.

York Tech problems were vastly different from the breach experienced
by the state Department of Revenue in 2012, Rutherford said, which was
the largest hacking of a state agency.

There is no evidence any York Tech data has been accessed or illegally
used, he said.

The cyber-thief who hacked into the Revenue Department’s computer
servers last September took unencrypted data from 3.8 million
individual filers and 700,000 businesses. The information included
Social Security numbers and credit and debit card numbers for 387,000
returns.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.