UPDATE: Education Department Glitch Exposes Data On As Many As 21,000 Borrowers
Three days after the U.S. Department of Education first received reports of the data leak, borrowers still can't update their personal information or pay federal student loans on the Web.
The U.S. Department of Education leaked personal information on as many as 21,000 people over the course of two days earlier this week.
A glitch caused by the deployment of a software upgrade at the department affected the part of the Web site that handles federal student loans. Between Sunday night and Tuesday, when borrowers went online to either make a loan payment or update their personal information, they were shown sensitive information about other borrowers when they clicked on "update."
The glitch revealed people's names, loan balances, birth dates, addresses, telephone numbers, and Social Security numbers, says department spokeswoman Jane Glickman.
"We're very upset about this," she adds.
Affiliated Computer Services, the Dallas-based IT outsourcer that installs and maintains the agency's programs, installed a software upgrade on Sunday. A problem with the upgrade caused the Web site to reveal the wrong user's data to the person submitting information online, according to Glickman. The agency received a complaint from a borrower on Monday and took down six Web pages they believed to be the problem early that afternoon. However, she says ACS technicians didn't realize that three other pages on the student loan site had been affected as well. Those pages weren't taken down until Tuesday.
As of Thursday afternoon, borrowers still weren't able to access their personal information or make a loan payment online.
Neither Glickman nor Joe Barrett, a vice president for ACS, were able to say what software was being upgraded or if it had been tested on a simulated network prior to the installation. "The problem, whatever it was, has been fixed," Barrett says. Glickman, though, says ACS has been directed to review its testing procedures and processes.
The Department of Education maintains that the payment portion of the Web site won't go back online until they're "100% satisfied that this problem will not happen again." The agency sent a team of tech experts to work on-site at ACS.
"To date, we know there has been no identity theft," Barrett says. However, when pressed, he then admitted that he has no idea if anyone's personal information was stolen. He says he was basing his assertion on the fact that no reports of identity theft have come in related to the error.
But Howard Schmidt, the former White House security adviser and now president and CEO of R&H Security Consulting, says only time will tell if users' information was hijacked.
"You don't know nothing was stolen," he says. "Without some postmortem and some serious forensics to find out who was on there and what was exposed to them, and then interview those who were online at that time, you're not going to know what happened, are you? Until you see that people are applying for loans in someone else's name, you won't know what happened."
Schmidt also says basic testing of the software before it was installed on a live system would have taken care of the problem. "Before you go live with a system, you normally do the testing in a closed simulated environment," he says. "That would have revealed the flaw before it occurred. You don't skip the test because of what could conceivably happen."
Alan Paller, director of research for the SANS Institute, says ACS may have made the error, but it's ultimately the Department of Education that's responsible for the security of users' critical personal information.
"Essentially, everything the feds do now is by non-federal employees," Paller says. "They've got contractors everywhere. It's red herring. They can say, 'Oh, we didn't do that. An outsourcer did that.' But they've got the responsibility to make sure that people know secure coding. And they don't, and they don't test it."
The DOE handles federal student loan programs such as the Pell Grant. The agency has stated that all borrowers online between Sunday night and Tuesday will be notified of the problem. Glickman says the 21,000 borrowers will be notified by mail about the data leak, and they'll be offered free credit service for a year. The notifications will go out as soon as the agency firms up details of the credit offering, which will be paid for by ACS.
Approximately 6.4 million people have federal direct student loans, and they can access their information on the DOE Web site using a pin and account number.
This is far from the first federal agency to have had data security problems recently.
Earlier this month, the U.S. Department of Veterans Affairs reported that a desktop computer with personal data on as many as 38,000 U.S. military veterans had disappeared from Unisys, a subcontractor. That incident came just days after authorities arrested two teenagers in connection with the May 3 theft of a VA laptop and hard drive containing sensitive data on as many as 26.5 million veterans and military personnel. The equipment in that case was stolen during a burglary of a VA employee's home.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.