At least 1,000 former Southwest Mississippi Community College got a bit of a scare last week when it was determined some of their personal information — including names, addresses, and in some cases, Social Security numbers — was made available temporarily on the Internet.
Steve Bishop, vice president of student affairs, said he became aware of the unintentional breach on Wednesday night and that the college had removed the personal content from its Internet server by 9 a.m. Thursday morning.
Still, the information was available on some Internet search engines as late as Saturday, even as the college worked with entities such as Google and Yahoo to be certain any “cached” content was removed, according to Mike Tullis, director of the school’s IT department.
The Mississippi Attorney General’s office said Friday that it had been informed of the problem and was in contact with SMCC officials. Bishop said he wasn’t certain whether the college or someone else had informed the AG’s office of the problem but that he had had a conversation with a student on Friday who said he had contacted the attorney general.
Bishop said he doesn’t know if the breach resulted in any identity thefts, but Hood’s office said it had been assured the students affected were being contacted.
“The problem has been taken care of on our end,” Bishop said. “The problem is that the more people who have known about it and talked about it — they go in and check, and that just extends the problem.”
Tullis said the problem occurred when a faculty member stored students’ personal information on an open Web folder “as a secondary repository.”
An Internet search for the breach indicates the information was stored by a member of the college administration.
“Even though we created personal home folders for everybody, somebody decided to store them on an open Web folder,” Tullis said, adding that there was little threat that any of the students’ identities were at risk during the few hours the information was available.
“The threat was minimal and available really only to Southwest students or only people in this area,” he said. “People don’t sit around waiting for a security hole to happen at Southwest. We’re small. The attack surf, in scope — maybe four or five people would be checking here.”
Tullis said hackers don’t attack such small systems. Even if they had, Tullis said, they’d have had very little to go on as far as stealing identities.
The problem involved two documents, both from spring of last year and slightly before, he said. Tullis disputed rumors that the available information went as far as 10 years back.
“We don’t have digitized documents from 10 years back,” he said.
He also said that neither document contained a student’s name, address and Social Security number n anything that would enable an interested party to get a credit card under the student’s name.
“It’s not a deal where you can look at it and say ‘I have their phone number, and their address and their Social Security number. I can go out and get a credit card in her name,’ “Tullis said, adding that the Social Security numbers were part of a continuous data file. Someone would have to be actually searching for their number specifically in a constant stream of numbers to pick it out, he said.
Additionally, names and Social Security numbers never corresponded, he said.
By late Friday afternoon, the college had made strides in having the cached searches, or searches stored in the computer’s memory, purged. Bishop said both Google and Yahoo were working with the college, and the college was in contact with other search engines.
Unfortunately, Bishop said, people who did learn about the breach told other students and former students before contacting the college.
He said that had someone contacted the school sooner rather than first alerting other students, the situation could have been contained even more quickly.
Tullis said an e-mail was sent to all faculty members reminding them not to store personal information on Internet servers.
“We have, in the past, told and told and told them repeatedly that server is not for storing stuff like that,” Tullis said of the faculty. “It is only for Web files and creating Web pages.”
But the problem should not occur again, he said.
“Those files have been moved completely,” Tullis said. “They are on a server that has no access to the Internet whatsoever.”
