Go back

APSU Web audit completed; reveals confidential info of another 1,280 people was Internet-accessible

After a page-by-page review of APSUs Web site, officials have discovered that confidential information of 1,280 peoplein addition to the 1,492 students previously notifiedwas vulnerable for a time.

The original problem surfaced July 21, 2005, when the APSU Office of Information Technology learned there was confidential student information stored in four internal electronic files. The information included names and/or Social Security numbers and/or grade point averagesnot grades, as inaccurately reported by the Associated Press.
After a page-by-page review of APSU's Web site, officials have discovered that confidential information of 1,280 peoplein addition to the 1,492 students previously notifiedwas vulnerable for a time.

The original problem surfaced July 21, 2005, when the APSU Office of Information Technology learned there was confidential student information stored in four internal electronic files. The information included names and/or Social Security numbers and/or grade point averagesnot grades, as inaccurately reported by the Associated Press.

The four files were deleted immediately, APSU's search engine was disabled indefinitely, affected students were notified by e-mail and certified letters and the three national credit agencies were alerted. Simultaneously, APSU staff began a complete review of all 250,000 pages of the University's Web site.

By Aug. 9, 2005, the thorough audit of the APSU Web site was complete, revealing that confidential information of an additional group of 1,280 peopleAPSU employees and vendors who did business with APSU during 1997, 2000 and 2002also had been vulnerable. This confidential information, including name, Social Security number, vendor identification number, address and/or telephone number, was Internet—accessible, using APSU's search engine, from mid-April 2004 until July 25, 2005.

Vice President for Finance and Administration Mitch Robinson says, “Consistent with Tennessee law, we have mailed notification letters to these additional 1,280 people and provided them a sheet of information from the Federal Trade Commission on how to proceed if you think you may be the victim of identity theft.

“Although we have no reason to believe that any confidential information was stolen for identity-theft purposes, any breach of computer security is a serious matter, and we sincerely apologize for any problem this vulnerability may cause.

“We are taking steps to tighten security on our computer server. In addition to indefinitely disabling our Web site search engine and individually reviewing each and every page of our Web site, we already had begun implementing a new campus-wide information technology system that includes a component to safeguard confidential information.”

Specific questions from affected people should be addressed to Charles Wall, director of the Office of Information Technology, at (931) 221-7588 or by e-mail at securityalert@apsu.edu
—Dennie Burke