NMSU acts to address limited 2006 exposure of student personal data

March 3, 2010 by Christina Pheley NMSU NewsCenter

New Mexico State University learned that a computer file containing personal information of approximately 300 students from a spring 2006 course had appeared on an unauthorized, non-NMSU-affiliated computer.

Tiversa, a company that monitors the Internet for unauthorized exposure of information, notified NMSU that the company had detected information related to NMSU students on a computer with peer-to-peer file sharing software.

“We immediately contracted with Tiversa to determine the type of data exposed and the extent of that exposure,” said Shaun Cooper, NMSU associate vice president and chief information officer. “Through our investigation with Tiversa, we learned that a faculty member teaching a course in 2006 had transferred a student data file for course reporting purposes to a teaching assistant’s laptop via e-mail. After the teaching assistant left NMSU in 2007, peer-to-peer file sharing software was installed on the teaching assistant’s laptop. Eventually, the student data file was accessed via the file sharing software, without the computer owner’s knowledge.”

NMSU took immediate measures to prevent the file from being shared further.

“We contacted the former teaching assistant, who deleted the file from the laptop,” Cooper said. “We also issued a ‘cease-and-desist’ order to the owner of the non-NMSU-affiliated computer to which the file was last transferred. The order legally forbids the computer owner from possessing the file that contains the NMSU students’ information.”

In addition, NMSU has sent a letter to each of the students from the 2006 class whose data was in the file and provided the students with information about actions they can take to prevent identity theft as a result of the unauthorized data exposure.

“Along with the faculty, staff and administration of NMSU, I place the highest priority on safeguarding student information,” Cooper said.

Since 2007, NMSU has implemented several measures to safeguard the personal information of students, faculty and staff, including the following:

  • eliminating students’ Social Security numbers from daily business transactions;
  • stepping up data security training for staff and faculty on the handling of NMSU data;
  • implementing strict policies to protect data, such as requiring that NMSU data be deleted from personal computers when faculty, staff and students leave NMSU employment; and
  • prohibiting NMSU data from being stored on portable or removable electronic media.

“Along with NMSU’s faculty and administration, I sincerely regret this incident of unauthorized student data exposure,” Cooper said. “We want to assure the entire university community that we place the highest priority on safeguarding all personal information and that we will continue to upgrade our technology and evaluate our policies to make sure that personal data remains secure.”

For anyone concerned about identity theft in general, the Federal Trade Commission provides information about actions people can take to prevent identity theft and determine if personal information has been stolen. They also suggest actions people can take to recover from the theft of personal information. The Federal Trade Commission’s Web site is http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/.

The major consumer credit reporting companies and their phone numbers are listed below. To obtain a free annual credit report from them, visit Annualcreditreport.com at https://www.annualcreditreport.com/cra/index.jsp:

  • Equifax 800-525-6285
  • Experian 888-397-3742
  • TransUnion 800-680-7289

This entry was posted in News and tagged , , , , , , , , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Both comments and trackbacks are currently closed.