showads('runofsite'); ?> | |
|
Jobtrak.com security breach releases student transcripts, resumes
'Oversight' allows company's FTP server to have information on students across the country A national college job search Web site has been listing hundreds of student transcripts, resumes and interview schedules on an openly accessible Internet server, breaking its own privacy regulations. Jobtrak, a service that links employers to students from almost 1,000 universities, has been storing information on a File Transfer Protocol site which can be publicly accessed by any third party, Scott Holcomb, vice president of operations for the company, confirmed yesterday. "It certainly was an oversight on our part," Holcomb said. "We've taken care of it and it will not be an issue any time in the future. We are further working to shore up the FTP site." Jobtrak is a non-profit company that serves the University of Arizona through UA Career Services by supplying student information to employers on a national database. The service requires a privacy agreement that gives Jobtrak permission to release information such as resumes and transcripts to potential employers. "Access from third parties is prevented by our firewall," the agreement states. "We store our information securely at our business, and only designated parties may obtain access to it. Hours after being contacted by the Arizona Daily Wildcat, Holcomb said they have corrected the problem, and expressed regret. Despite the privacy agreement, Ken Ramberg, Jobtrak's chief financial officer, said online services include a certain risk. "Once you put a resume online, you run the risk that anybody can view it," he said. FTP sites are Internet services that make volumes of data available and often do not require permission, allowing anonymous users to reach the information. Often, FTP files require a password to view more sensitive information. On Jobtrak's site, an individual who logs on as an anonymous user can find batches of information in the "public" directory. "FTP stinks. I don't know how else to put it," said Rob Cresswell, Jobtrak's chief technology officer. "It's not the greatest protocol. The FTP server is a source of consternation." Almost every Web site has an accompanying FTP site, which holds not only the information needed to produce the site, but programs and services that can be used by the general public. Although the majority of Jobtrak's data is tucked away in restricted parts of the server, scores of files holding student information still exists for general viewing. Yesterday, data reaching far back as 1998 was available to the public. The information available on jobtrak.com included transcripts and resumes from students at institutions such as Georgia Institute of Technology and the University of California-Berkeley, schedules for employee interviews for all Los Angeles colleges, and listings of interviews for corporations. Holcomb said the resumes were from 1998 and were mistakenly left on the server when the company switched its procedures, but have now been deleted. The employer schedules give access to interview records of the companies' visits to the University of California-Los Angeles, Georgia Tech and UC-Berkeley. Ramberg said the information is not part of the resume database, where Jobtrak places most of the information it receives. Batches of resumes were sent out to employers during the last two years, and a copy of each was placed on the FTP server, he said. "It's a tiny portion of our system," Ramberg said. "What you're seeing are resumes submitted to on-campus recruiters." Cresswell said the intent was to allow employers to readily access the resumes and transcripts at any time, which explains the easily reached files. The employers involved were national companies such as Boeing, Robinsons-May, State Farm, MetLife and Adobe. Top officials from these companies said they were concerned about the availability of their prospective employees. "That's information that should not be in the public domain," said Harold Covert, former chief financial officer of Adobe Systems. One student, a 1999 UC-Berkeley graduate, had pages of personal information online - including his home address, telephone number, transcripts, resume and cover letters. The student, who asked not to be identified for privacy concerns, said he felt "violated." "My understanding with the university was that this stuff was secure when I posted it," the student said. "It makes me feel betrayed by Jobtrak and by my university." Before learning about Jobtrak's breach, Tom Devlin, UC-Berkeley career services director, said his university has been confident of Jobtrak's security in the past. "We're very comfortable with the level of protection with this vendor," Devlin said. "Security is not an issue from our perspective." Devlin declined comment about the breach.
News editors Erin Mahoney and Eric Swedlund contributed to this story.
|
|
showads('runofsite'); ?> |