August 26, 2006

Perhaps They Should Have Tested More - Affiliated Computer Services Inc.

Federal student loan program exposes data on 21,000 users

Linda Rosencrance

August 25, 2006 (Computerworld) -- The U.S. Department of Education has disabled its Direct Loan Servicing System, the online payment feature of its Federal Student Aid site, because of a software glitch that exposed the personal data of 21,000 students who borrowed money from the department, said Education Department spokeswoman Jane Glickman in an e-mail to Computerworld.
When a borrower was online late last Sunday or early on Monday, his personal information -- including name, Social Security number, birth date and address -- could have been exposed to another user who was also signed on at the same time and doing the exact same step, Glickman said.

The cause of the problem was a routine software upgrade by the vendor, Dallas-based Affiliated Computer Services Inc. (ACS), she said. The program had a coding error, and six Web pages were affected, she said.

ACS could not be reached for comment today.

"The identified Web pages have been disabled and are not going back online until we are 100% satisfied that this problem will not happen again," Glickman said. "The U.S. Department of Education takes the safeguarding of our users' personal information very, very seriously, and any compromise of users data is one incident too many."

Glickman said the number of borrowers possibly affected was less than one-half of 1% of its 6.4 million users. She said there have been no reports of identity theft. Borrowers who were online between Sunday night and Tuesday morning have all been identified and will be notified, she said.

Glickman said Federal Student Aid has a team of technical experts on site at ACS to ensure that the problem is fixed. ACS has agreed to offer credit services to the borrowers affected as long as necessary but for a minimum of one year, she said.

Glickman said the software upgrade went live on Sunday, Aug. 20, at 9:16 p.m., EST. The first three Web pages believed to be affected by the software error were disabled on Monday at 1:09 p.m.

"Ongoing analysis identified the exact software error, and three additional Web pages were identified to be impacted by the software error," she said. "These three additional Web pages were disabled on Tuesday ... at 10:16 a.m."