ITS removes code that made student’s privacy vulnerable
February 20, 2009
A piece of code that Information Technology Services (ITS) used could have made 300 students’ names and Social Security numbers vulnerable within the MyNIU system.
The system was not hacked as popular belief would have it, said James Fatz, director of information security and operations.
“Nothing was hacked,” Fatz said. “In the MyNIU self-help portion, a coding change was made that gave the potential for authorized users to see this information.”
The information was available for only three hours on Jan. 23.
In order to see such information, Fatz said the user would have had to click on a random assortment of links before the user would have seen just one name and number.
“It was way beyond what someone would have normally done,” Fatz said.
ITS removed the code completely from the MyNIU system, in addition to scanning the system for any unauthorized users. None were found, Fatz said.
While only one other person reported the problem to ITS, Fatz said he will not rule out the possibility that others saw the sensitive information. Fatz and Walter Czerniak, associate vice president of ITS, said it would have been very difficult to find it. Fatz said he has not heard of any illegal or fraudulent acts made because of this problem.
Letters informing students of the incident were mailed a week after the incident. Fatz described it as a multi-step process with most of it assessing who was affected by it.