By Jessica Havery
October 20, 2005
Due to what Montclair State University officials are calling an
"inadvertent error," the social security numbers of 9,100 Montclair
State University students were made available online for nearly five
months, putting each student at risk for identity theft and credit
The error, discovered last Wednesday by junior political science
major, Brian Gatens, was identified when Gatens stumbled over the
information database after running a search for his name on a Google
After making the discovery, and contacting Information Technology to
report the issue, Gatens informed The Montclarion about the mishap.
However, the paper decided to hold the story, originally meant to run
on Oct. 13, in order to protect the confidential information of the
students at risk.
In response to Gaten's report, Jeff Giacobbe, director of Information
Technology Networks, Telecommunications, Systems and Security, said
that the information had been gathered by a University employee who
had been authorized to do so.
"This person inadvertently posted the files to an area of the campus
web server that was subsequently read and 'cached' by the Google
search engine," Giacobbe said.
The employee, whose name has not been released by the University,
placed the files onto the server so that the information could be
retrieved by other University employees, who also had authorization to
view the documents.
According to Giacobbe, the individual failed to realize that, by
placing the files in that location, the information was also visible
to other parties, including internet search engines.
While other media outlets have reported that the individual
responsible made a mistake and would not be punished, Vice President
of Student Development and Campus Life, Karen Pennington, said that
the matter was still under a full investigation.
When Gatens contacted Giacobbe about his findings, he was informed
that the process of having the files removed from the Google search
engine normally takes three to five business days. The University, in
an effort to expedite the process, contacted the State Attorney
General's office, which assisted with the removal of all files.
Last Thursday, Pennington sent a campus-wide e-mail about the slip up,
and urged undergraduate students with a declared major and an assigned
academic advisor to take retroactive precautions to protect themselves
and their credit reports.
Pennington said that the University has received responses from
parents and students regarding the announcement of the security
"There have been clarifying questions regarding the event," Pennington
said. "Responses from students fall into three categories: clarifying
whether [he or she] was specifically affected; clarifying how to get a
free fraud alert versus having to pay and general concern regarding
While students have sent letters and made phone calls as a way of
expressing concerns, and complaints, they have also joined forces
electronically by creating online blogs and groups through sites like
Livejournal.com and Thefacebook.com.
Mancine's post received 11 comments from other undergraduate students
discussing the incident, and the possibility of taking legal action
against the University.
Another student, who could only be identified by the username
'ticklish721,' said "I may take legal action if I find something
suspicious on my credit report."
In addition to the Livejournal group, Montclair_State, 45 students
have joined the "MSU Screwed Up and I Fell Victim to ID Theft" group,
created by computer science major, James Ragucci.
Students, such as music major Rosemary Topar, are using the group to
unify any students interested in participating in a class-action
lawsuit against the University.
After reading about a bill signed by N.J. Governor Codey that would
require colleges to stop using social security numbers as
identification numbers, Topar asked, "Will someone please tell me why
the University failed to halt the use of our social security numbers
starting with this year?"
Giacobbe said that Montclair State has been working to implement an
alternate identification system for the past several months, and
expects the system to be functional before the end of the year.
"The campus-wide identification system is a unique eight-digit number
for every student and University employee that will be used in place
of a social security number for most University business and all
online authentication," Giacobbe said.
Pennington said that she was confident that the change will prevent
unauthorized disclosers in the future.
An information technology representative from Kean University said
that their University has already made the change from social security
numbers to an alternate form of identification.
"While we have made the switch to an alternate number, students may
choose whether they want to use their social security numbers, or
not," she said.
In some cases, according to Giacobbe, social security numbers will
"Certain State and Federal processes, such as student financial aid,
require social security information," Giacobbe said. "The numbers must
remain a part of an individual's private ... record, but as of the end
of the year, they will no longer be used as a primary indentifier or
for logging into online services."
InfoSec News v2.0 - Coming Soon!