In the spring of 2014, a Tyler Junior College applicant at the time, realized the college had suffered a data leak when she could see the background check forms of several other students through her online housing application.
Kierra Perry had applied to TJC and also applied for housing as part of the application processes.
“The board of directors made it mandatory several years ago that all students living on campus must fill out a background check before being approved,” said Diana Karol, Residential Life and Housing auxiliary director.
Residential Life and Housing runs the background checks through the Texas Department of Public Safety for all applicants who have always lived in the state and uses a company in town called Remedy to run background checks on anyone who has not always lived in Texas.
Background checks consist of names, date of birth, previous addresses, driver’s license numbers and Social Security numbers.
“There are very strict guidelines for background checks because they have such sensitive information,” said Karol.
Housing keeps paper copies of background checks on file because applicants need to sign the bottom. Students may, however, print the paper, scan it and upload the image to their online application. The paper copies are kept in a locked cabinet in an area of the building that has low traffic.
“All students are well protected,” said Karol.
In the spring semester of 2014, the Residential Life and Housing office moved to a new software called Symplicity. Symplicity is a housing software that allows students to upload their applications and assign housing. Before Symplicity, Housing used Excel spreadsheets and did everything by hand. With Symplicity, it does all the work for them.
“We use one module of Symplicity called Residence,” said Karol. “We use that to accept online applications for Housing and we then use that for placement.”
A few students uploaded their application incorrectly to public space which made their background check available to anyone using the system.
Larry Mendez, Chief Information officer of IT, explained that when choosing the settings for the new software, Residential Life and Housing chose to give students the option to share documents. Symplicity did not fully explain the consequences of choosing this option and that is the leading reason for this exposure.
“Our first fear was that there were numerous records [jeopardized],” said Karol.
Karol said, only a single file had this glitch that allowed it to see several other background checks that had been uploaded and attached to applications.
“When we went live with this, there were months and months of setup, integration and training,” said Karol.
According to Perry, when she noticed the leak she immediately called Housing but was unable to speak with a supervisor. Perry then called the IT Service desk and explained the situation. The matter was immediately brought to Mendez.
“We had six individuals that had exposure of their information,” said Mendez. “What we did from there was we worked immediately with Residence Hall, Symplicity and our lawyers to make sure that we had everything done correctly.”
Mendez said that Symplicity provided TJC with a list of how many people saw the data. As soon as IT was notified, Symplicity shut down access to the records within 90 minutes. And within a four-day window they knew exactly what records were visible and by whom.
After the breach was noticed, according to Karol by Patti Light, Housing immediately began procedure set to deal with issues like this and contacted Administration.
Mendez said he contacted the people who uploaded their application incorrectly via email and sent a letter to their last known address explaining what had occurred.
Perry also contacted datareaches.net and explained the situation there.
Databreaches.net is a blog that contains the stories of incidents like this and believes that “we cannot protect our privacy when stewards do not do a good job of protecting our information.”
When Perry contacted databreaches.net in March, her concern was who could also see her information.
Mendez said, the possibility of another data leak is always there.
Although Perry told databreaches.net she would not attend TJC, the registrar has confirmed she is a student.
“I wanted to be close to my brother,” said Perry. “He is in Kilgore.”