On Tuesday, March 27, an employee from the University of Guam (UOG) Financial Aid Office inadvertently sent the protected personal information of 154 students to 196 unauthorized recipients.
The email contained student names, ID numbers, social security numbers, and the award amounts of those who received direct loans or Pell grants for the Fanomnakan (Spring) 2018 semester. The message was sent to different kinds of emails, including personal emails such as Yahoo and Gmail accounts, and to the University’s GoTriton accounts.
The employee tried to inform 196 students of the status of their financial awards, but instead forwarded the sensitive information of the 154 students to them.
According to Jonas Macapinlac, the director of UOG’s Integrated Marketing Communications, this was the first time that an incident like this has happened at the University.
The University was informed immediately after the incident occurred. Macapinlac said the employee who sent the information informed their supervisor once they realized what had happened.
“It wasn’t a glitch in the system,” Macapinlac said. “There was nothing malicious about the action. It was just an unfortunate mistake.”
In response, the University then followed with fraud prevention protocols and launched an investigation. The 196 recipients of the email were informed of the incident and were told to delete it from their accounts.
In regards to Guam public law, it is illegal for the recipients to keep the message.
It is also a violation of the Family Educational Rights and Privacy Act, a U.S. federal law which protects the privacy of student education records. The law states that schools cannot disclose certain information about their students without prior written consent.
According to Macapinlac, several have confirmed that they have disposed of the message.
The students whose information was sent out are being offered credit monitoring for 12 months at no charge.
A week after the incident, the students were invited to attend fraud prevention workshops hosted UOG. The program offers 1 million dollars of insurance in case their identity is stolen. It also provides monitoring among the three major credit bureaus, so the individuals would be notified of any application for new credit.
A hotline was also offered to them so that they would be able to voice their concerns about the situation.
Social security scare
The University also reached out to the 154 individuals whose information was sent out. The responses from these individuals ranged from apprehensiveness and concern to fear and anger.
“I was initially angry, but you can’t stay mad for long,” said Johnson Ancheta, a senior Psychology major whose information was sent out.
After he was informed, Ancheta checked his accounts to see if his credit was still in good standing. He also attended the fraud prevention workshops sponsored by the University and enrolled in the free credit monitoring service the University offered.
“I’m okay, I’m just upset that I have to check my information every day,” Ancheta said. “Usually, I’d do it once a month, but now I do it every day.”
While he appreciated the fact that the credit monitoring service was offered, Ancheta stated his desire for an extension of the free program.
Although his social security has not been compromised since the incident occurred, Ancheta expressed his concern for potential future threats to his credit.
“I am concerned about it,” Ancheta said. “There are careers out there, specifically federal careers, that look at your credit report. If [for example], someone filed credit cards under your name, then it can affect your employment opportunities.”
While his trust in the University has changed, Ancheta said he cannot put all the blame on UOG.
Prevention for the future
“We’re taking a long look at ourselves,” Macapinlac said. “We’re being introspective. We’re asking, what can we do to stop this from ever happening?”
According to Macapinlac, what this means for the University is finding different ways to handle not just student information, but information in general.
Since the incident, the University has eliminated the use of the students’ social security number as a means of verification. Instead, only their student ID numbers will be used to lessen the risk of social security concerns.
All official correspondence will be issued using the University’s GoTriton’s email account. The reason why this is important is because if an inadvertent message is sent out, then the University can immediately recall any messages since it controls the system.
According to Mark Duarte, the director of the Financial Aid Office, student information is stored in an Ellucian data system. Students can log in online to accept and receive their financial aid awards.
“It basically takes away the paper route where everything is done manually,” said Duarte. “We’ve done it so everything is done electronically where any student can at any time look at their awards and accept or decline their financial aid.”
The University has also been corresponding with the Federal Bureau of Investigation and Secret Service to determine a schedule of training programs for the University’s employees. Both of these institutions deal with fraud cases.
“We want to respond in a way that shows that we are concerned,” Macapinlac said. “Students have a right to be upset and angry. They have a right to be afraid. And we’ll stand by them and help them through the situation.”