The University System of Maryland stored thousands of prospective students' names, social security numbers and, in some cases, credit card information on a publicly accessible server, a recent audit found.
Starting in 2004, the applications of more than 8,000 students who applied to college via the system's website were stored in plain text on a web server, according to the three-year audit released last month. Someone with hacking skills could have accessed the server, said Robert Koslowski, the director of the Information Systems Audit Division at the Office of Legislative Audits, which filed the report.
Although this application process has become less popular in recent years, Legislative Auditor Bruce Myers said the situation needed to be rectified nonetheless.
"It wasn't used that much, but we still thought 8,000 was still significant enough that it ought to be protected," Myers said.
Although no information was ever stolen, this isn't the first time an audit found issues with the system's web security, and several officials said they were concerned with the length of time it took for system officials to fix the problem.
A previous audit that covered 2005 to 2008 also found sensitive data in a susceptible place. That time, about 53,000 social security numbers and 21,000 credit card numbers were sitting on the server, unencrypted.
The system planned to have all of the data moved to an internal server, first quarter of 2009, according to an audit report released early that year. According to system spokesman Mike Lurie, the move was not fully completed until December 2010, in what he called a "good-faith effort" on the part of the system.
"It turns out to be a fairly time-consuming process," Lurie said, adding the move involved a complete redesign of the web application prospective students use to apply.
But Michael Hicks, a computer science professor and the director of this university's Maryland Cybersecurity Center, said the two-year window is more comparable to 8 million records than 8,000.
"To me, it sounds like a job that should take substantially less than two years," he said.
The system is now in the process of devising a plan to store incoming applications on internal servers daily, meaning students' sensitive information is substantially more secure, Lurie said. The data will be backed up to CD once a month, he added.
Yet, Koslowski said the fact the information was available to hackers at one point is clearly an issue.
"It is not commonplace," he said. "Clearly, this should not have existed. So were we surprised? I think we were surprised, yes."
jwolper@umdbk.com
is a member of the 
Be the first to comment on this article! Log in to Comment
You must be logged in to comment on an article. Not already a member? Register now