An number of A&M faculty and graduate student social security numbers were accidentally posted to an insecure website in early March — a security misstep that administrators addressed Wednesday in a campus-wide email and at a Vision 2020 forum.
The social security numbers for any A&M faculty member or graduate student who taught classes during the Fall 2014 semester were mistakenly posted online. Administrators say every visitor to the website while the information was displayed is accounted for, and the threat of fraud is low.
Interim President Mark Hussey sent out an email alerting all faculty, graduate students and undergraduate students about the occurrence, and said the incident has since been handled accordingly.
“With regard to the on-line posting of SSNs, we have completed our internal investigation of this incident and concluded that this release resulted from the failure of at least two employees in a unit under the provost’s office to follow established internal security procedures,” Hussey said in the email. “Texas A&M University System Audit will also be conducting an investigation of this incident as well to provide an independent assessment of what internal controls were not followed along with what actions they recommend be taken.”
Hussey said those whose social security numbers were posted have all been notified, and he encouraged anyone involved who suspected fraudulent activity in their accounts to immediately call the University Police Department. Letters were sent to those whose information was accidentally released, and a monitoring service was provided to them for the next two years, Hussey said.
Provost Karan Watson also addressed the issue at the start of Wednesday’s final Vision 2020 strategic planning forum.
Watson said those whose information was exposed were faculty and graduate students who taught classes at A&M in the fall of 2014.
“Some of you are saying, ‘Am I on the list or not?’ If you taught last fall, yes,” Watson said. “So it was a mistake, we know exactly how it happened. We are concerned that a particular staff member posted this, but that’s not the problematic thing.”
The problematic part, Watson said, was the supervisor over the staff member who should have trained this staff member not to make these mistakes. The protocol typically has checks to prevent the posting of social security numbers, but these checks were not executed.
Watson said the mistake occurred when an A&M employee generated a standard yearly report. Watson said the state legally requires A&M to include social security numbers, among other information, as sources for the report’s data for it to be correctly turned in. The error occurred when the employee posted these sources to a non-password-protected area online.
So far, Watson said, A&M has been able to track every site visit where the social security numbers were posted, and all 32 accesses to that site have been accounted for.
“Eighteen of them were our employees who had a reason to be on that site,” Watson said. “We have also looked at all of their information to see if they have any social security numbers on their site so we can do that for our people. All 14 of the others we have been able to say exactly — and we have even contacted a few — to know exactly why they contacted this site. So we have accounted for all 32 contacts to this site.”
Although security cannot be completely guaranteed, Watson said the probability of fraudulence is relatively low for this particular incident.