X

Federal student aid site exposes borrowers' data

Education Dept. disables online payment feature of site, following security gaffe that could affect up to 21,000.

Dawn Kawamoto Former Staff writer, CNET News
Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.
See full bio
Dawn Kawamoto
2 min read
The U.S. Department of Education has disabled the online payment feature for its Federal Student Aid site, following a security breach that could affect up to 21,000 borrowers.

Federal Student Aid recipients who between Sunday and Tuesday accessed one of six Web pages on the Department of Education site may have had their personal information exposed to others, said Lesley Pool, a spokeswoman for software company Affiliated Computer Services. ACS created the technology for the Direct Loan Servicing feature on the Department of Education's site.

A person who logged on or tried to access parts of the site at the same time as another user may have viewed sensitive information entered by the previous person, such as name, Social Security number and birth date, Pool said.

"A fix went in on Tuesday morning, and we think it's been fixed. But we're doing more testing, and until there is 100 percent certainty, the (payment and account) functionality has been taken offline," she said. "It is up to the (Education) Department to say when the code is ready to go."

Pool did not have any estimates for when the Department of Education would reinstitute the payment and account functions on its site.

Department of Education officials said the agency has identified all the affected users and will notify them that their information may have been compromised. But, as of Thursday afternoon, there was no notice on the department's Direct Loan Servicing Web site informing users that their security may have been breached.

A House of Representatives committee bill that was approved earlier this year calls for businesses to alert customers when a security breach occurs, including posting notices on their Web sites. But the Data Accountability and Trust Act, which still requires approval from Congress before becoming law, would not have the same requirements for federal agencies.

Problems with the Federal Student Aid Web site began Sunday when ACS launched a software upgrade that was designed to make the Web-based interface easier to use and more secure.

But the company received four calls during a 12-hour period, informing it of problems with the site, Pool said.

"That led us to investigate and pull those sections offline so the problem would not replicate itself," she said. "We take information security very seriously."

No reports of identity theft have arisen, and ACS is monitoring the situation, she added. ACS is reviewing accounts for any abnormal activity and is paying for credit-monitoring services for affected borrowers for up to a year.

Some other agencies that cater to borrowers of student loans have experienced similar security breaches. Earlier this year, the Texas Guaranteed Student Loan company said that up to 1.3 million borrowers were at risk of ID theft after computer equipment loaded with sensitive student loan information was lost.