Bemidji State University is required by law to notify eligible students or their parents in writing of the date and amount of their loan disbursements for financial aid, allowing them to cancel all or part of the loan proceeds.
A computer program was developed to meet this requirement and was successfully tested several times. However, during large-scale implementation on Tuesday, Sept. 22, the program failed. An undetected flaw in the automated e-mail process mistakenly and improperly sent student names, student identification numbers, and loan information to a number of students.
As soon as the problem was detected, the university implemented its Technology Security Incident Plan, and steps were taken to contain the problem.
The first step taken was to shut down the student e-mail system in order to prevent additional delivery of queued messages. An alert to the situation was posted on the university's portal, as well as on the home page.
The Information Technology Services staff continued to work throughout the night to investigate, address, contain, and resolve the problem.
By shutting down the student e-mail system, more than 700,000 errant messages were prevented from being delivered.
Programming staff members continue working to determine the cause of the situation. They have acquired an electronic tool that targets and removes the errant messages from the students' university e-mail inboxes without exposing or compromising other messages within those inboxes.
For students who forward their BSU e-mail to another provider (yahoo, gmail, hotmail, etc.), little can be done to resolve the situation.
Students who have received the errant e-mails have been requested to respect the privacy of fellow students by refraining from reading the content and deleting the messages immediately without copying or forwarding them.
A letter notifying the students of this security incident is being prepared and will be mailed.
Financial aid notification letters will be sent via regular postal mail until the technology issue is resolved.
Once the cause is determined, reiterative tests will be conducted prior to future implementation.
The information exposed included only student names, student identification numbers, and loan information to a number of students. No social security numbers or credit card numbers were included in the e-mails. Student ID numbers were included. However, no one may access private student data held by the university using an ID number alone. Electronic access to records always requires a Personal Identification Number (PIN) in addition to a student ID number. PIN numbers were not included in any e-mail attachment, as no one, including university personnel, knows personal PIN numbers unless an individual has provided it. The campus community is reminded to keep PIN numbers confidential.
No one views student e-mail messages. A special tool was acquired to administratively delete errant messages by globally searching and removing all messages with a specific subject heading. Student e-mail inboxes were not compromised.