August 23, 2006
The Honorable Margaret Spellings
United States Department of Education
400 Maryland Avenue, SW
Washington, DC 20202
Dear Secretary Spellings:
I am very concerned about the adequacy of personal privacy protections on the Department of Education website in light of a story in this morning's Boston Globe entitled, "Glitch reveals too much information on Education Department website."
The story recounts the experience of a Ms. Nancy Newark, a Boston attorney, who manages her student loan payments online through the Department's website. When updating her telephone number on the Department's website on Monday evening, Ms. Newark clicked on the "update" button and was able to view another person's personal information including their name, Social Security number, date of birth, address, phone number, and email address. She claims to have seen the information of three additional people when she attempted to correct her information.
Presumably, all of those individuals, along with a reported 6.4 million others, also monitor their student loans online. This is a very serious breach of sensitive financial information and a potential windfall for identity thieves. The Globe reports that "A federal Department of Education official said yesterday that a routine software upgrade made Sunday night introduced a bug into the system that mixed up the data of different borrowers."
While I am hopeful that this is in fact a "bug" and not a systemic problem at the Department, I would appreciate your response to the following:
1. Have you determined how many individuals' private financial information breached prior to fixing the problem?
2. Have you immediately notified each person whose personal information was compromised that a security breach had occurred so that they can protect their financial information as best as possible going forward?
3. Will you be offering credit monitoring, fraud protection or other similar services to those individuals whose personal information was compromised?
4. Is the system that failed in the case of this data base being used to manage data elsewhere in the Department? Where? What has been done to secure those data bases?
5. What steps do you intend to take to strengthen the Department of Education's data security policies in the wake of this security breach?
As I am sure you are aware, Social Security numbers and date of birth information are pure gold in the hands of identity thieves, who quickly convert them into credit cards and cash equivalents to perpetrate massive frauds.
I look forward to your response and am hopeful that the Department of Education can restore the confidence of borrowers who rely on its website to conduct student loan transactions. Should you have any questions please contact me or my staff at 202-225-2836.