Aaron Titus, a law school student in Louisiana, wanted to prove a point about user privacy. So he started Googling -- and ended up with names, addresses, Social Security numbers, and other personal data on some 80,000 students and employees in the state's university system.
Titus revealed his findings to a local television news station, WDSU, which issued a report yesterday. The FBI and the Louisiana Board of Regents are investigating the leak.
According to the WDSU report, Titus found much of the information on an internal Internet site operated by the Board of Regents, which oversees all of the state's higher education. Most of the network was password-protected, but the area containing the most potentially dangerous data -- including thousands of student Social Security numbers -- was not, he said.
"I was astounded when I saw all this information up -- not protected, not behind a firewall, out in the open where anybody in the entire world can get to it," Titus told WDSU. "I'd be shaking in my boots. I'd be really, really freaked out. All of my information is available to anyone who wants it right now."
Titus found a list of student names and personal data, as well 150 other files that he said contain up to 75,000 more names of students and employees. For example, he was able to pull up a list of administrators and instructors at South Louisiana Community College that includes Social Security numbers.
Law professor Julian Murray told WDSU that the Louisiana Constitution guarantees the right to privacy, including Social Security numbers, and that those affected could conceivably file a class-action lawsuit against the Board of Regents.
"I don't think they can ever answer civilly or morally for what they've done," Murray said.
Commissioner of Education Joe Savoie told the TV station that the Board of Regents was grateful that Titus reported the leak. "In some ways, we're thankful that you found it, because it showed a deficiency in some of our programs, and we were able to stop it," he said. "Now we are going to try to mitigate any damage."
Tim Wilson, Site Editor, Dark ReadingTim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio