Education data breach puts 21,000 student loan borrowers at risk

Student loan holders logging on to an Education Department Web site between Sunday night and Tuesday morning exposed their personal identities to others as a result of a glitch in a contractor's efforts to service the site.

As first reported in the Boston Globe Wednesday, as many as 21,000 borrowers in the Federal Direct Student Loan Program could have had their personal data, including Social Security numbers, birthdates and addresses, compromised in yet another government agency data breach.

This incident follows a string of publicized breaches governmentwide, affecting information systems in more than a dozen federal agencies.

Dallas-based Affiliated Computer Services Inc. was performing a software upgrade on the Federal Student Aid Web site when the glitch occurred, an Education Department spokeswoman said. From around 9 p.m. Sunday until 10:15 a.m. Tuesday, users performing a certain task on the Web site would see the personal information of the last person who tried to complete the same task, officials said.

The Web site was partially shut down Monday and another part was shut down Tuesday, according to the spokeswoman.

ACS is offering free credit monitoring for a minimum of one year to all affected students, according to Education's spokeswoman. As of Wednesday, 26 people had contracted the department.

The spokeswoman noted that the 21,000 affected loan borrowers represent less than one-half of 1 percent of the 6.4 million people who have loans through the program.

ACS did not respond to requests for comment, but a spokesman for the company told the Boston Globe that no identity theft has occurred yet and if it does happen, the company will "correct the situation and help prosecute."

Rep. Edward Markey, D-Mass., co-chair of the congressional Privacy Caucus, said the Education Department cannot openly expose the financial information of student loan borrowers without promising significant efforts to protect those individuals from identity theft.

"From veterans to on-duty military personnel and now to student loan borrowers, the Bush administration has made breaches of privacy a regular occurrence and a signature of its tenure in Washington," Markey said.

This is at least the second reported government data breach involving a contractor this month.

On Aug. 3, the Veterans Affairs Department was notified that a desktop computer containing the names, Social Security numbers and medical data of as many as 38,000 people went missing from the offices of an agency subcontractor. This followed the early May data breach where the personal information of 26.5 million people was stolen from the home of a department employee. The data was subsequently recovered.

In late July, a laptop from the Transportation Department inspector general's office containing the personal information of 133,000 Florida residents was stolen from a government-owned vehicle.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec