Some Georgia state employees might face disciplinary actions after their computer errors exposed the addresses and Social Security numbers of recipients of the state’s scholarship program to hackers.
The slip-up highlights the importance of safeguarding student information stored on an internet-connected server.
One scholarship recipient made a startling discovery during an internet search.
Kamie Harkins, a Southern Polytechnic University student, found her home address, Social Security number, date of birth, and the amount of tuition money she received from Georgia’s Helping Outstanding Pupils Educationally (HOPE) scholarship program.
It turned out that personal information about thousands of college and high-school students and their parents in the state’s HOPE database inadvertently was exposed.
The Georgia Student Finance Commission, while installing new software in late April, disabled its firewallsbarriers that prevent unauthorized access to a computer network. The commission said it reinstalled the firewalls in May.
“I just did it out of curiosity,” Harkins said of the search that turned up her personal information. The data were still available on Google, an internet search engine and archive, as recently as June, she said.
The student finance commission said it learned of the security breach after a telephone call from the mother of a Clark-Atlanta University student.
“This was just very, very bad as far as we’re concerned. And, of course, as soon as it was discovered, it was immediately corrected,” commission spokeswoman Alma Bowen said. “We don’t want anything going out regarding students’ personal information.
“I don’t have any idea how many names were out there,” Bowen said.
More than 527,000 Georgia students have applied for HOPE scholarships since 1993.
Harkins said research she and another student conducted for the Southern Tech newspaper found 3,187 pages of personal information on thousands of students attending Georgia schools, including 32 schools in Georgia’s state university system, 29 public technical colleges, and 33 HOPE-eligible private universities and colleges.
The information included names of students who applied for Georgia scholarship programs but who ended up going to school out of state, she said.
An official of Google Inc., which operates Google.com, said it began deleting the information immediately after being notified by commission officials. Because Google operates hundreds of servers in its network, the process might have taken anywhere from a few hours to several days, said spokeswoman Cindy McCaffrey.
Board members from the student finance commission said they might punish employees involved in the security breach once an investigation by the Georgia Bureau of Investigation (GBI) is complete.
Gov. Roy Barnes ordered the GBI investigation after he learned that hackers attempted to enter Georgia’s computer data base for HOPE scholarship recipients while its security program was down for nearly two months.
Barnes also called for an audit of scholarship records to determine whether hackers tried to steal money by raising the amount of scholarship payments or by creating new financial-aid recipients.
“We are positive at least one individual tried” to hack into the HOPE system, said Larry Singer, executive director of the Georgia Technology Authority. “We don’t know if [individuals] got access or, if they did, the extent of the access.”
The technology authority found evidence of tampering while examining thousands of lines of computer code that operate the finance commission’s system. The system has been shut down since authorities discovered the glitch.
Barnes spokeswoman Joselyn Butler said the governor ordered an audit to “make sure nobody changed financial recordsscholarship amounts and that kind of thing.”
If hackers did gain entry, “it could have been anything from someone innocently finding an open door, coming in, and walking around, [to someone] trying to steal some moneythat’s one of the worst-case scenarios,” Singer said.
Though records on scholarship recipients might have been altered, Singer said he doubts hackers could have stolen money by transferring state funds directly into private accounts.
GBI investigators will search for clues using a copy of the system’s program code made just after the hacking evidence was discovered. That serves as sort of a virtual crime-scene photograph.
Meanwhile, the student finance commission will use its own copy to try to get its system running again before the start of the fall semester. The original program is being preserved in case it is needed as criminal evidence.
When thousands of students receiving HOPE scholarships received unsolicited eMail in early August, they wondered if it was because their personal information had been exposed during the security breach in the spring.
A group opposing video poker sent messages to 10,000 scholarship recipients saying, “HOPE scholarship funding is under attack! Please help NOW!”
Stop Video Poker, however, obtained the addresses legally through a public-records request. The group hopes to win support for banning video poker by arguing that it drains money from the state lottery, which provides the funds for the scholarships.
The activists admit they could have timed their plea better. “The internet is a powerful thing,” mused Arch Adams, the organization’s co-chairman.
Georgia Student Finance Commission (the site is down throughout the investigation)
Georgia Bureau of Investigation