Kentucky Professor Loses 6,500 Student Records On A Flash Drive

A University of Kentucky professor has lost the personal records of 6,500 former and current students, which he stored on a flash drive. The professor noticed that the drive was missing in April, but didn’t report it gone until May. At first, he thought that the drive simply had been misplaced; later he concluded that it was stolen.

The drive contained student names, grades and social security numbers, which the University uses for identification.

There is so much wrong here that I don’t even know where to start. First, there is the question of why the guy had the information on a flash drive in the first place. That sort of information needs to be self-contained within the University’s network. It shouldn’t be possible to take it elsewhere.

Second, knowing that the drive was missing, the professor should have reported it immediately. “Lost,” “misplaced” and “stolen” are merely three terms for “I don’t know where it is and there’s a chance someone else has it.”

Third, if the professor had used one of the new biometric drives, then it wouldn’t be an issue. Those things are cheap enough now that anyone who has any kind of sensitive information has no excuse for not having one.

And of course, all of this comes back to the question of why the University of Kentucky uses social security numbers for identification. The original enabling legislation for social security numebrs specifically forbade the use of SSNs as identifying numbers. I was at a school where a student sued the college because he didn’t want his social security number used as identification. He won.

As for the University of Kentucky situation, I hope some is prosecuted for this. Or at the very least, I hope that one of the affected students sues. This is just a case of gross negligence.

Comments

Add a comment