_____________________________________________________________ Office of the Inspector General TO: William Merwin, President FROM: Linda Ciprich, Inspector General DATE: June 20, 2003 RE: Revised Report FGCU-02-01 - Computer System Security Dr. Merwin: On September 20, 2002, I issued a draft audit finding concerning FGCU’s possible FERPA violation of inadvertently giving third-party access to student information. Our university website enables anyone with the social security number and birth date of a student to obtain their academic and personal information by making both their password and personal identification number (PIN) visible. A similar situation occurred last year when Princeton personnel gained access to Yale admission information and the incident made the newspaper headlines. I consider the FGCU access to be more serious than the Yale incident because 1) rather than just admission status, a third-party can gain access to a student’s entire academic record, and 2) the third-party is able to log in as though he or she is the actual student. No security incident report is generated because the system doesn’t see the intruder. Student and employee ID cards are also issued with social security numbers printed on them. In the finding attached, I recommended that if the university should decide not to take immediate steps to eliminate the use of social security numbers, at a minimum the clear text display of passwords should be discontinued and password requests issued by email. As of this date, our student records are still vulnerable to third-party access without the permission of the student and no changes have been made to the website. For clarification, I have included screen print images of the bypass process on my own student record password and PIN within the attached finding. With this report I am closing the audit with no corrective action having been implemented. This is a serious weakness in internal control. The lack of confidentiality over student records could have an adverse effect on the university’s reaffirmation of accreditation. If the Department of Education determines we are in violation of FERPA, they could terminate our federal financial aid funding. I urge you to encourage the Executive Council to reconsider the problem of visibly displaying the passwords and PINs online, and thereby giving access, to anyone having the social security number and birth date of an FGCU student, e.g., parents, employers, credit processors, and faculty not in an advising position. Please let me know if you have any questions or would like me to demonstrate the problem to the Executive Council.

10501 FGCU Blvd South, Fort Myers, FL 33965-6565 TEL: (239)590-1020 SUNCOM: 731-1020 TTY: (239)590-1450 FAX: (239)590-1059 lciprich@fgcu.edu

Office of the Inspector General 2 Computer System Security

FERPA Violation

CRITERIA: The Family Educational Rights and Privacy Act (FERPA) was enacted by Congress in 1974, quickly becoming one of the United States’ strongest privacy protection laws. [CFR, Title 34, Part 99] It gives parents the right to review and confirm the accuracy of their children’s education records until they reach the age of 18 or attend postsecondary institutions. The right then transfers to the student. FERPA also guarantees students the right to protect information that is not classified as directory information by federal law or university policy. Policy per the FGCU catalog states:

Parents, legal guardians, spouses, employers, external agencies, etc. are considered third parties and do not have permission to access a student educational record without written consent from the student.

CONDITIONS: Florida Gulf Coast University presently uses social security numbers to identify students. Since the Social Security Act of 1935, social security numbers have been used as personal identifiers in many areas, including healthcare, income taxes, and student information. The escalation of identity fraud, however, has elevated concern for privacy protection. Even before the events of September 11, 2001, Congress took steps to amend code with the Identity Theft and Assumption Deterrence Act of 1998. [USC, Title 18, Ch. 47] Since those events, state legislatures have begun to evaluate the risk and take action to increase privacy protection. Washington state legislature passed a bill early in 2002 prohibiting the use of social security numbers as student identifiers as of July 1, 2002. Many institutions in other states have made this a priority.

At Florida Gulf Coast University, student records are maintained in a computer system that can be accessed through the internet. Students enter their user identification number (USER ID), which is their social security number, and personal identification number (PIN) to access their data. If they forget their PIN, they can have the system retrieve it for them. In addition to updating their personal data, they can register for classes and view their transcripts.

Third parties with access to a student’s social security number and date of birth can gain access to the student’s academic personal information through the internet. At the sign on screen (Figure 1), one need only leave the USER ID and PIN boxes blank, and click on the link under First Time Users. A screen will open asking for the social security number and birth date (Figure 2). When that information is submitted, a new screen will open displaying the PIN in clear text (Figure 3). This process can be repeated without requiring the user to submit a PIN change; therefore the student will be unaware that someone else has accessed his or her information.

Office of the Inspector General 3 Computer System Security

Figure 1

Figure 2

Office of the Inspector General 4 Computer System Security

Figure 3

The system also discloses the student’s password in the same manner. Figure 4 is a screen print of the university website menu for the Division of Enrollment Management. Looking up a student’s password is a choice made by clicking on the pertinent link, displaying the screen depicted in Figure 5.

Figure 4

Office of the Inspector General 5 Computer System Security

Figure 5

By entering the student’s social security number and the PIN, which is obtainable as described previously, the user is now presented with a clear text display of the password. Figure 6 is a display of my student password which I set as YOU*CAN*SEE*ME for this report.

Figure 6

Office of the Inspector General 6 Computer System Security

CAUSE & EFFECT: According to the university registrar, the system was purposely designed this way by administration to accommodate applicants. They can access the system and obtain their PIN in order to find their admission status.

In addition to being information easily available to parents, social security numbers and birth dates are personal data frequently found on applications for employment, credit, financial aid loans, and entrance to other institutions of higher education. Potentially, the university could be in violation of FERPA if we are inadvertently disclosing information to third parties without the signed consent of students. Even though students can change their passwords and PINs, and are required to do so when using the Forgot PIN? button, third parties can obtain the new password or PIN by the methods described herein.

According to the Code of Federal Regulations, FGCU’s eligibility for federal financial aid could be terminated for violation of student record confidentiality. That could result in a material effect on the university’s financial statements. Florida Gulf Coast University is at risk financially and academically since reaffirmation of our accreditation with the Southern Association of Colleges and Schools (SACS) will require our attestation that confidentiality of student records is maintained.

RECOMMENDATION: Forgotten passwords or personal identification numbers (PINs) should be issued to the student by email rather than visibly displayed at the time of the request. Passwords or PINs should not be partial social security numbers unless the students are forced to change them when they are first used.

Management should consider changing primary student identifiers to something other than social security numbers. Although it may be inconvenient and expensive to change student identifiers for the entire student information system, at a minimum, management should take steps to mitigate the risk of exposure through the internet.

RESPONSE: According to a report made to the Banner Implementation Committee on February 19, 2003, the Executive Council decided not to take action on changing primary identifiers from social security numbers until after the additional Banner modules are online. The issue of visibly displaying passwords or PINs has not been addressed.