The University of Baltimore has added protections to personal student data that officials had left unsecured possibly for years, according to a state audit released this month.
The information on 117,793 students was kept in text form in a database that contained names, addresses, dates of birth and Social Security numbers. The lapse was discovered during a routine audit by the Department of Legislative Services’ Office of Legislative Audits.
Such sensitive personally identifiable information is “commonly associated with identity theft,” read the audit, which covered July 2013 to mid-September 2016. “Accordingly, appropriate information system security controls need to exist to ensure that this information is safeguarded and not improperly disclosed.”
The university did not dispute the findings in its response to the audit and officials said they had encrypted the data in 2017 according to state security standards. There was no indication in the audit that the data was inappropriately released or used.
“While there was no improper release of [personally identifiable information] by anyone or any system at UB, we have implemented data encryption to ensure that all [personally identifiable information] is protected and secure,” said Chris Hart, a university spokesman.
The auditors had other concerns, mainly centering on oversight of vendors and record collection and record keeping related to financial aid and the residency status of its student.
The audit found the university did not properly monitor an advertising and marketing contract and increased the hourly rate it paid the firm, which was not named, without a formal contract modification. The difference in payments amounted to $22,600, and the auditors recommended officials seek legal advice about whether it should make an effort to recoup the money.
The university also contracted directly with the state health department for work that was not core to its mission and allowed the health department to avoid formal bidding for the work.
In each case, the university agreed with the assessment.
Hart said all the auditors’ recommendations had been implemented.
“A number of these procedures were in place by the time we received the findings,” he said. “Essentially, we believe we are now fully compliant per the recommendations, and we appreciate the diligence of the Office of Legislative Audit in pointing out areas where updates to our processes were needed.”