MURRAY, Kentucky. The Murray State University College of Education posted the personal information of 260 students and professionals, including names, social security numbers and birth dates, ethnicity, gender, GPA, and test scores on its website. Affected students are all participants in Continuing NCATE Accreditation through Murray State University, and the information is in an Excel report called “2000-2001 State Admissions Report.” The report was last revised in June, 2001 and was posted online in Excel format on or before June 13, 2002. Since that time it has been available to the world online. Google picked up the file in its cache at least 1 1/2 years ago. When in Google’s cache, otherwise “hidden fields” are automatically un-hidden, and are automatically displayed.
Almost all of the information in this report is sensitive, and much of it is protected by FERPA and other applicable laws. Most importantly, Murray State University has put these students at severe risk of identity theft and other forms of fraud or harm.
Considering that this breach went undetected by the university more than five years, the Liberty Coalition encourages Murray University to re-evaluate its security protocols, and implement server-side text and non-text file searching for risky information on university servers, before it is picked up by major search engines.
In response to this notification, Murray State University issued a Media Statement, which is re-published here in full:
“MURRAY, Ky. – On January 3, 2008, Murray State University’s College of Education received notification from the Liberty Coalition, an organization focused on prevention of identity breach issues, that personal student information including student names, social security numbers and birth dates was accessible by manipulating a Microsoft Excel file on the MSU College of Education website. Upon learning of this the College of Education removed the file from its web site and took steps to remove the information from search engine caches. The file was a 2000-2001 Admission to Teacher Education report posted online in Microsoft Excel format in preparation for the fall 2002 accreditation visit by the National Council for Accreditation of Teacher Education (NCATE) and Kentucky Education Professional Standards Board (EPSB). “While on opening the file revealed no personal data that could be connected to any student it did contain ‘hidden fields’ which could be manipulated to reveal the information listed above. It was not MSU’s practice or procedure to post any file for this particular report in Excel format, opting instead for the Acrobat reader format. The posting of this Excel file was inadvertent and unintended. Evaluation of web logs available to Murray State indicate that the file has been searched for, however, Murray State is unable to determine whether the information in the ‘hidden fields’ has, in fact, been accessed.
“The University notified affected individuals by mail and provided information on identity theft precautions and other precautionary measures.
“MSU has taken and is continuing to take steps to remedy the situation. This is a regrettable incident and Murray State considers any breach of privacy and confidentiality as a serious matter. The University will make every effort to address concerns and questions on this sensitive issue. For more information please contact Bonnie Adams in MSU’s College of Education at 270-809-3833 or email
.”
The Liberty Coalition encourages individuals affected by this breach to follow precautionary measures as outlined on this site, and as directed by MSU.
You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.
About SSNBreach.org
SSNBreach.org is a free online directory of victims of personal information breach, that tells you whether your personal information has been exposed.
SSNBreach.org does NOT contain sensitive data, such as Social Security Numbers (SSN), Birth Dates, Addresses, and the like. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Instead of storing sensitive information, we document what information was exposed, and the situation surrounding the breach. This information allows victims to further investigate, take action, or correct any harm from the exposure.