Buffalo State College employees left the personal data for hundreds and possibly thousands of students exposed on the school's internal computer network for several days last month, college officials acknowledged this week.
The school learned about the security lapse only after a student noticed the problem and told a faculty member, who informed college staffers, said Voldemar Innus, a Buffalo State vice president and chief information officer.
The student names, Social Security numbers and other information were secured that same day, Innus said, and the college is certain none of the data was removed from the network.
"We've reviewed this particular incident and we've taken appropriate steps," Innus said without elaborating.
Buffalo State is not alone in wrestling with how to ensure the security of its computer network and the sensitive data stored on the system.
The Privacy Rights Clearinghouse, which tracks the number of personal records lost or exposed in major incidents, notes that figure has reached 100 million since February 2005.
College campuses appear particularly prone to these security lapses or outright thefts.
"I think it's actually a huge issue for colleges and universities and I think they need to come to grips with the security issues they have," said Beth Givens, director of the clearinghouse, an education and advocacy organization based in San Diego.
The Buffalo State security lapse occurred sometime in late November, according to Innus.
Employees conducting normal college business "inadvertently" left computer files containing student data in a section of the Buffalo State internal network that was accessible to the public, Innus said.
The files contained the names, Social Security numbers, grades, addresses and phone numbers of hundreds or possibly thousands of Buffalo State students, according to a student who notified The Buffalo News of the incident.
The information was never in a place accessible to the general public on the World Wide Web. The college's internal network is open only to students, faculty and staff, Innus said.
The data was on the network for less than three days, he said.
On Nov. 30, a student who was using the college computer network stumbled across the data. He told a faculty member of his discovery, and the teacher quickly told college staffers.
The college's network security system is able to track who accessed the information, Innus said. A "very small number" did so, though Innus would not say precisely how many.
However, the school can tell that no attempt was made to download the information or otherwise remove it from the network, he said.
Buffalo State did not inform students or the media of the security lapse.
Innus said the college decided not to disclose the data lapse after school officials determined no information was stolen.
Matthew Levin-Stankevich, president of Buffalo State's United Students Government, said he was satisfied with the college's explanation of the incident after learning about it from The News.
"It's definitely a concern, but I think they'll take care of it," he said.