Whose Loan is it, Anyway?

More leaks from web sites with private financial data. And this time its a site that most UMass students use for school loans.

More leaks from web sites with private financial data. And this time its a site that most UMass students use for school loans.

Denez McAdoo
September 12, 2006

The same speed and ease that the Internet provides us as students, e.g., no waiting in lines to pencil in information that can be captured with a few clicks, also has the potential to open our private information up to strangers when technical glitches occur.

Last month a login/security flaw in the U.S. Department of Education’s Web-site (www.dlssonline.com) exposed the private information of as many as 21,000 student users. Students who logged onto the Federal Student Aid Web-site early in the week of August 20 may have had their personal information exposed to other users who were also logged onto the site at the time. This information would likely have included users’ names, dates of birth, addresses, and Social Security numbers.

The security glitch appears to have been related to a coding error in a routine software upgrade provided by Affiliated Computer Services Inc. (ACS), which allowed multiple users logged onto the same page to view the private information of other users. Knowledge of the security flaw prompted the U.S. Department of Education to temporarily disable its online payment system citing the need for greater assurance that the problems have been resolved. The software upgrade went online on August 20 at 9:16 PM, EST. Within the first 12 hours, the Department of Education began receiving calls about problems with the site and pages began being taken offline on Monday, August 21.

“The identified Web pages have been disabled and are not going back online until we are 100% satisfied that this problem will not happen again,” said Education Department spokeswoman Jane Glickman in an e-mail to Computerworld.com. “The U.S. Department of Education takes the safeguarding of our users’ personal information very, very seriously, and any compromise of user data is one incident too many.”

The Department of Education has identified all the users that could have been affected and is currently notifying them of the issue. ACS is closely monitoring the accounts of those who may have been affected and has agreed to provide credit-monitoring services for up to a year. There is no word yet when the site will become fully operational with payment and account functions restored. To date, no claims of identity theft have yet been reported.