Only Time Will Tell With DOE Security Breach

Who needs hackers when you can have a bad software install? That's what's getting blamed for the exposure of personal data of federal student loan recipients who logged on to the Department of Education's Web site during two days last week.

Late on Aug. 20 and the next two days, loan recipients using the site might have seen someone else's data instead of their own, says an Education spokeswoman. The problem occurred when they tried to update their information at one of nine fouled-up Web pages on the site. Those pages won't be put back online until the department is certain it can't happen again.

Joe Barrett, a VP at Affiliated Computer Services, which maintains the site under contract, insists the problem has been fixed, but he didn't know what software had been installed or if it had been tested prior to deployment. As of late last week, there hadn't been any reports of identity theft from the incident.

But loan recipients shouldn't rest easy. "Without some postmortem and some serious forensics to find out who was on there and what was exposed to them, you're not going to know what happened, are you?" says Howard Schmidt, former White House security adviser and now CEO of R&H Security Consulting. Only time will tell how serious the damage was.