Telecom firm leaks student data to Web
A company that provides intra-campus telephone services to small colleges has inadvertently left database files containing names, addresses and social security numbers on the Internet.
In the latest of what has become a common Internet problem, the information about more than 2,000 students whose schools use telecommunications management firm Resicom may have leaked out from the company's Web site. Database files containing students' personal information had the wrong permission settings and could have been accessed using any Web browser as late as Monday afternoon.
David Horn, the network and billing manager for the Doylestown, Penn., company was working to turn off access to the files Monday afternoon.
"This is a big deal for us; it has never happened before," he said. "It's embarrassing, not to mention serious."
The company's customers include Texas A&M University, Ottawa University, Indiana Wesleyan University and almost 70 other schools. In total, the firm provides phone services for more than 100,000 students, though the problem only affects a small fraction, said Horn.
Resicom provides its student customers with easy access to their records via the Web. In this case, however, access may have been too easy.
A staff member first notified his school of the problem after a friend searched for his name on the Internet and suddenly had access to a database record that included the staff member's social security number, the person said in an e-mail message to CNET News.com. On Saturday, the staff member, who asked not to be identified, contacted the dean of the school and attempted to reach the company, but to no avail.
Resicom didn't get the message until Monday, Horn said. "We first heard about it this morning," he said. "We got an e-mail from a customer."
The company immediately contacted its Internet service provider and by the afternoon had access to the files blocked. Horn said that the firm uses a local Internet service provider to maintain much of its Web site including the parts that had the permission problems. Horn suggested that the arrangement may stop after this incident. He would not identify the Internet service provider.
"It may change the way we handle online information," he said. "I handle the in-house Web site, and we keep a pretty tight grip on that information."