Audit: Morgan State University lacked protections for private information

Morgan State University lacked adequate safeguards to protect sensitive personal information, and kept a database of 301,000 unique social security numbers alongside names and dates of birth, state auditors found.

A recent report from the Office of Legislative Audits found the Baltimore-based institution did not adhere to cybersecurity best practices, which require agencies to protect this kind of confidential data using encryption technologies or other measures to ward off identity theft and other improper disclosures.


The auditors recommended the university delete any unnecessary sensitive personally identifiable information and ensure that any other needed data is properly protected.

University officials, in response to the audit’s findings, pledged to take those steps toward safeguarding the data.

“The University is evaluating the feasibility of purchasing a third-party tool to satisfy the audit requirement, and will implement the solution by fiscal year-end,” they wrote. “Please know that the University employs various defense-in-depth strategy elements including, for example, a risk management program, cyber security architecture, physical and logical security controls, network architecture and perimeter security, host security, security monitoring, vendor management, and security awareness programs.”

The audit team was tasked with examining Morgan State’s fiscal compliance from July 1, 2013, through Jan. 3, 2017, and its report was published earlier this month. Morgan, which enrolled 7,747 students in fall 2017, is the state’s largest historically black college.

The audit also exposed issues with how the university runs its financial aid and scholarship programs, which could have cost the school more than $1 million in funding from the U.S Department of Education. Morgan State awarded $106.5 million in financial aid during fiscal year 2016, with the majority of it federally funded.

The university did not consistently perform monthly reconciliations of its own student financial aid records and the corresponding federal documents. Based on a review of the school’s records, auditors found that Morgan State had distributed $10.7 million in aid to students, but only requested reimbursement for $9.1 million.

The university says it now carries out these reconciliations every month, and it recovered the missing $1.6 million after the audit testing was completed.

The auditors found other problems in the financial aid office, including that some scholarship amounts were overstated or awarded to ineligible students. They tested five honors scholarships, together worth roughly $98,000. Two awards exceeded the amounts in their award letters by almost $27,000. Four of the students in the sample didn’t meet eligibility requirements.

The university has agreed to strengthen the review of awards. It also said it would take another look at the scholarships in question and make any necessary changes by Feb. 28.