Official response includes heightened security, procedural review to reduce future incidents
BY: Melissa Wilkinson
Editor-In-Chief
On Feb. 28, 2018, a file containing personal identification information for 362 STLCC students was accidentally emailed to a limited number of other students. The file, attached by mistake instead of the correct attachment about campus events, contained names, emails, home addresses and school identification numbers (A-numbers) of the 362 students. According to Vice Chancellor of Student Affairs Tony Cruz, there was no malicious intent behind the incident, and the college is already working on security improvements to prevent future incidents.
“It was human error,” said Cruz. “It’s been addressed with that individual [who made the mistake.]”
All STLCC students were sent an email explaining the situation on March 1, but students whose data were included in the mishandled attachment were sent an additional email informing them of the situation. Meramec’s Eric Pollack was one of those students.
Pollack first learned of the data breach on the news after the college released the information to the press, after which he checked his email. He expressed concerns with the way the news was conveyed.
“Not everybody checks their student emails. The only reason I found out was I have it attached to my gmail account,” said Pollack. “[STLCC] could have easily put this on Blackboard. I would have even accepted a phone call whether it’s prerecorded or in person. Even a face to face thing. It’s disturbing that they sent me an email and expect me to come to them for the specifics.”
But according to Cruz, email is STLCC’s “official means of communication” with students. Cruz said that news of the breach was emailed to students before it was released to the media and that it wasn’t a situation that called for student response, making an immediate method of communication less important.
“We were taking actions on our end,” said Cruz, “but I don’t think students could take much action on their own.”
Pollack did just the opposite, however, and contacted Kim Fitzgerald, Dean of Student Development and Enrollment Management at Meramec. According to Pollack, Fitzgerald told him that most of the information in the attachment, such as address and phone number, is available in the student directory.
“I voiced my concern about the data breach to her and told her my information, the A-number was compromised. I told her, that A-number is attached to financial information as well as my student ID which is a debit card. And her exact wording on the phone was ‘Oh, I didn’t think of that,’” said Pollack.
Pollack requested that his A-number be changed and all the information from his old account moved to the new one. However, according to Chief Information Officer Matthew Gioia, the change would not solve the problem, as the new number would still be attached to the old one.
“It’s not that it can’t be changed,” said Gioia. “We don’t want to give people the false impression that would potentially fix the issue.”
What will fix the issue, said Gioia, is making sure that student information is only given to students themselves. According to Gioia, STLCC’s plan to strengthen security includes placing extra precautions on student-facing employees, including mandatory FERPA (Family Educational Rights and Privacy Act) training and requiring more information to confirm student identities when a student wants to make changes to their records, both in person and online.
Gioia said there are also security improvements planned on the administrative end.
“We’re looking at all of the steps in the process that lead to this and then we’ll make recommendations for changes to some of those processes to make sure that this doesn’t happen again,” said Gioia.
Both Cruz and Gioia have stated that it is “very unlikely” that a similar incident will occur in the future. Despite this assurance, Pollack remains unhappy after what he considered a “nonchalant” follow-up with Fitzgerald.
“I felt dismissed. ‘Oh, we’re taking care of it, don’t worry.’ To me, it just felt like they were covering their own ass. I had to initiate [the follow-up],” said Pollack.
Pollack said he doesn’t believe that his A-number can’t be changed in a secure manner, and that the whole experience has “left a bad taste” in his mouth. With one semester to go before graduation, Pollack is now contemplating leaving Meramec.
“I can only do so much with what I have. I just want other students to be aware of what’s going on,” said Pollack. “Check your emails, stand up for yourself and ask questions. Being a 42 year old man, I can stick up for myself. Some of these other students, they can’t. It’s hard, when your identity gets stolen. It’s hard to recover from that.”