University Works to Address Online Security Incident

June 6, 2012 — University of Virginia information security experts responded rapidly this week to address a human error that allowed the transcripts of 2011 and 2012 applicants to the Summer Language Institute to be accessible through the Internet.

The error only affected information of applicants to the Summer Language Institute, who were using an online application specially designed for the institute. No other University student or confidential personal information was affected by the incident, which was discovered Tuesday. No credit card or bank account information was involved.

In all, 407 transcripts were available through the Internet due to the error. Fewer than 70 of the transcripts included Social Security numbers of applicants. While U.Va. does not display full Social Security numbers on transcripts it produces for former and current U.Va. students, some schools still do. If the applicant provided the Summer Language Institute with a transcript containing a Social Security number, this information was stored in the online application system as submitted.

The University also moved quickly to notify those who submitted online applications to the Summer Language Institute in 2011 and 2012 of the incident. There has been no indication that any information has been misused, said Shirley Payne, assistant vice president for information security, policy and records.

"As soon as this situation was known, the transcript information was secured and a thorough investigation was conducted," reads a letter that will be sent to institute applicants from the University. "The University regrets that your personal information has been exposed to the Internet, and assures you that all efforts are focused on prevention of any recurrence."

Payne said the University's priority after securing the information is to notify applicants whose Social Security numbers were exposed and offer assistance. Information technology experts also worked with Google to ensure removal of the information from the search engine's caches.

The Summer Language Institute offers college and high school students and adults eight weeks of intense study in nine languages, for which they earn two years of college credit (except for those taking Chinese and Arabic, who earn one year).

U.Va. created the online application last year in an effort to streamline the application process for the institute. Applicants used the system for the 2011 and 2012 sessions.

An internal investigation found that the breach discovered this week occurred due to human error, when a database directory containing applicant transcripts was not fully protected.

An applicant to the Summer Language Institute spotted the transcript information among search results relating to his name. The student notified University officials, who began working to secure the site.

"The University of Virginia is very committed to maintaining the privacy of personal information it receives and takes many precautions to keep it secure," the letter to Summer Language Institute applicants reads. "As evidenced by this incident, there is still work to be done."

Letters and emails to affected applicants whose Social Security numbers were exposed were being prepared Wednesday for distribution as soon as possible. Applicants whose transcripts, but not their Social Security numbers, were exposed will receive a letter notifying them of the incident.