The University of Rochester has informed 286 graduates about an unintentional public disclosure of their Social Security numbers and some pre-college standardized test information. Two spreadsheets with limited personal information were discovered this month on a publicly accessible Web page maintained by the University.
University network records revealed that the first public access through University servers occurred June 12, 2006, when a University of Rochester graduate spotted her name on a list of former students with identifying numbers. She reported it to the University on June 15, and the material was removed immediately.
The University found that the Web page also was made accessible through the automated cache provided by the Google search engine. Google has removed the information from its files.
"The University of Rochester takes information security very seriously and seeks to prevent occurrences like this, and we sincerely regret this error," said a letter mailed to the graduates on June 27. Most of the students involved have graduated from the University of Rochester.
The error occurred when a faculty member was backing up computer files to a directory and did not realize that the material would be Web accessible. The University has determined that the files were first indexed by Google in mid-2005. Evidence showing minimal access to the data on the University's network indicates a low likelihood of access to the Google cached version as well. Google has not provided information about access to its cached version of the page.
New York State law requires the notification of individuals whose information may have been compromised, even in instances where the likelihood of exposure is fairly low. The incident also must be reported to the New York State Attorney General, the Consumer Protection Board, and the Office of Cyber Security. Some Frequently Asked Questions about this accidental disclosure as well as information on preventing and responding to security theft can be found at www.rochester.edu/ITS/security/resources/id_theft.html.
Inquiries can be made to Sharon Dickman at the University Office of Communications at (585) 275-4128 or e-mail firstname.lastname@example.org.