The University System of Maryland until recently had been storing information, including Social Security and some credit card numbers, of thousands of prospective students on a server that the public can access, according to a state audit this week.

The revelation was among seven findings from a study conducted by the General Assembly’s Office of Legislative Audits over a three-year period — from February 2008 to March 2011.

The university system’s public server kept the prospective students’ names, as well as their personal information, in “plain text” that was not formatted in any way, said the audit, which also noted that such accessible information is a common target for identity theft.

“We estimate that over 8,000 records existed on the server which contained the aforementioned personally identifiable information,” the audit report stated. “Such information could be accessible to unauthorized individuals if the related server were compromised.”

The report added that a previous audit of the university system found the same problem with information from servers not being strongly protected enough. The audit office was critical of USM server security both in 2002 and 2005 reports.

The method USM used to store personal and financial information had been in use since 1998, until officials responded to the audit’s findings by taking personal and financial data from previous prospective students off the publicly accessible server.

Since December 2010, data on prospective students applying to USM schools has been kept for three months in an encrypted format on the public access server before being moved off the server.

The new USM processes include moving data on prospective students to an internal network drive on a daily basis, and backing up the information monthly on CD-ROM.

In response to questions this week, the university system reported that no attempts were evident to hack into the server and obtain the sensitive student information when it was unprotected.

“The Office of Legislative Audits makes very good recommendations towards implementing these types of improvements,” USM spokesman Mike Lurie said Wednesday.

However, Barmak Nassirian, an associate executive director with the American Association of Collegiate Registrars and Admissions Officers in Washington, D.C., said despite the university system’s claim that no attempts had been made to hack into the server, “You don’t know who might have perused data. You don’t know who’s looked at it.”

In November, a student at the University of Texas Pan-American discovered that a spreadsheet with the grade-point averages, addresses and other personal information of roughly 19,300 students was improperly placed on a departmental server at the university.

A Nov. 11 story in The Monitor newspaper in McAllen, Texas, reported that the student’s Google search revealed the personal information of the Pan-American students, which had been accessible publicly online since Sept. 1. In responding to the problem, university officials claimed that the information was not typically useful to identity thieves, but also admitted they were unable to say who had viewed the data during that time.

Although that security problem involved enrolled, not prospective, students, USM potentially risked violating the Family Educational Rights and Privacy Act (FERPA), a federal law protecting personal student information, if there were a security breach on its server, Nassirian said.

The U.S. Department of Education states that students’ report cards and transcripts from high school and college are protected under FERPA. Nassirian said storing unencrypted personal information on students on a public server was bad practice.

Colleges and universities typically store data on prospective students, even if they don’t end up attending the school, Nassirian said. The data may prove useful if, for example, a prospective student files a lawsuit against the school.

But storing information such as credit card data for longer than necessary on a publicly accessible server made no sense, he said.

Nassirian said that although in theory USM could be exposed to legal liability for having kept the student information on a public server, in practice it was unlikely because no harm has been traced to the university system.

aujifusa@gazette.net