Cal Poly Pomona discloses online security breach


The Social Security numbers, home addresses and phone contacts for at least 300 students who applied for admission to Cal Poly Pomona six years ago were unintentionally disclosed online, according to the university.

The personal information remained on the university server and accessible to the public for about five years, school officials said.

The applicants were notified last week and urged to contact credit reporting agencies, school officials said.

The personal information, which did not include financial data, “was mistakenly put in a publicly accessible folder on a university server in November 2003, and Google and other search-engine companies mined the data, according to a statement released by Tim Lynch, senior media communications coordinator for Cal Poly Pomona.

Lynch said a maximum of 355 applicants could have been affected.

The file containing the applicants’ data was removed from the university server in November 2008, when it came to the attention of university officials that it was publicly accessible, Lynch’s statement said.

But school officials were unaware that “some of the contents of the file were retained in keyword indexes maintained by Google,” it added.

When a former student applicant notified the university on Aug. 20 that he’d come across his personal information while searching Google, the university contacted Google and asked the firm to purge the information from its servers. There was “no evidence or knowledge that any information was misused,” the university said.

All of the applicants whose information was potentially available on a public site were informed by mail Tuesday and encouraged to contact credit reporting agencies. California residents are entitled to one free report from each of the three agencies annually.

Cal Poly Pomona is hardly alone in the situation. Internet security breaches have occurred at universities nationwide over the years.

In 2005, for example, UC Berkeley reported a computer breach in which the sensitive personal data of tens of thousands of people may have been compromised. UCLA revealed in 2008 that one or more hackers had gained access to a university database containing personal information on about 800,000 of the university’s current and former students, faculty and staff members, among others.

Last year, a breach at Sonoma State University exposed the Social Security numbers of about 600 former computer science students whose numbers were on an internal department Web server.

Stephanie Doda, chief information officer at Cal Poly Pomona, said in a statement that the university had taken steps to correct potential problems. “We take the protection of personal information very seriously,” she said.