Prompted by three reports of private information exposed to the public on UCLA Extension's Web site, campus officials have shut down the site's registration function while they try to fix the problem and notify nearly 200 users.
The decision came after three people who tried to sign up for extension classes Tuesday reported problems. At least two said they saw the name, birth date, Social Security and credit card numbers of the previous registrant displayed on the site.
University officials say they have no evidence that other users encountered the problem or that hackers were involved. "From what we can tell this was something other than a widespread problem," said David Menninger, UCLA Extension associate dean.
Nonetheless, "it's scary stuff," said Ryan Sloan, a student who learned Monday that his financial information was being displayed on the Web site. "Just when you think it's safe to go out onto the Internet waters."
Eric Chang, director of management information systems for UCLA Extension, said administrators were first alerted to a possible problem by a site user Monday, but were unable to identify a cause. They nonetheless took steps they thought would clear any glitches.
Everything appeared to work until Barbara Stendal, a San Pedro Web site consultant, logged on Tuesday afternoon to register for a writing class. Stendal saw Sloan's information displayed on the payment form, and said she became concerned that numerous users of the site may be at risk.
Stendal alerted Sloan, who logged on to see for himself--and found he was able to view the credit information of a third user. Both users tried to notify Web site administrators. The function was shut down at 4:22 p.m.
Chang said administrators have since traced an error message to three cases--including Stendal and Sloan's--in which a person logging on to register was able to see data submitted by the previous person who had registered.
No misuse of information has been reported, and calls to dozens of other users of the site uncovered no further problems, he said. However, all 193 people who registered on the site Tuesday would be informed of the problem, he said.
Doug Cavit, chief information officer for McAfee.com, an online security service, said that it's reasonable to "notify people, give them the facts, and let them come to their own conclusions," especially if the cause of the problem remains unknown. But in the absence of evidence of large-scale breaches or malicious intent, risks to Web site users were probably nominal, he said.
UCLA Extension has been using the Web site to register students since last summer. About 15,000 students yearly use the site to sign up for classes, about 10% of all extension students.