MIT Discovers Personal Data Leak
By Marissa Vogt
Personal records, including some social security numbers, of approximately 800 members of the MIT community were recently e-mailed to an MIT mailing list, according to an MIT press release. The file containing the information was sent from the office of the vice president for research, and was received by approximately 150 people, most of whom are affiliated with MIT, according to the press release. MIT became aware of the incident on April 26.
Timothy J. McGovern, information technology security support manager, said that everyone whose personal information had been compromised has been notified. He also said that the people who accidentally received the e-mail have been “100 percent” cooperative. Part of the purpose of dialogue between Information Services and Technology and the recipients of the e-mail has been to determine whether they had looked at or forwarded any of the personal data, McGovern said.
McGovern said that IS&T is currently “in the early stages of hearing back from people who have concerns,” but that the possibility of a more serious investigation is being discussed. A task group is being formed in direct response to the security leak, he said. The membership of the task group as well as its agenda will be set by the senior officer group, which includes a vice president and various deans.
In 2004, the social security numbers of over 11,000 MIT employees were posted in a publicly accessible file for six months before MIT administrators were made aware of the problem. MIT’s actions in notifying the individuals who were affected by the leak set a precedent of “disclosure as quickly as we possibly can,” McGovern said.
This type of security breach is “very rare,” McGovern said, and “the weakest link in many of these cases still remains … the possibility of human error.”
McGovern also said “we’re in pretty good shape,” and that he is optimistic about the eventual resolution of the incident. He praised MIT’s prompt discovery of the breach and response, and the cooperation of the people who inadvertently received the personal data. It is a testimony that the members of the MIT community “do understand the sensitivity of the information and do safeguard it,” he said.
The MIT press release also said that electronic copies of applications to the Summer Research Program had been unintentionally placed online and had been publicly accessible until May 2. The applications also contained personal data and were removed once MIT discovered the error.
Individuals with questions about protecting their personal data can contact IS&T at firstname.lastname@example.org or visit http://web.mit.edu/infoprotect/ for more information.