An online student loan payment service under control of the Department of Education (DOED) leaked personal identifying information on 21,000 students between Sunday and Tuesday of this past week, according to the agency.

 

Federal Student Aid recipients who were trying to access information or make payments at DOED's Direct Loan Servicing Online Web site were able to view records of other borrowers while updating their own information.

Software company Affiliated Computer Services (ACS), which handles the loan processing for the Direct Loan Servicing system, installed a software upgrade on Sunday which caused the glitch.

When DOED started receiving complaints from users that they could view others' personal data, the online payment system was immediately disabled. The site's online payment system is currently disabled due to problems with "software upgrades," according to a message posted on the home page.

ACS spokesperson Lesley Pool said the software glitch was fixed on Tuesday and the online payment system would be disabled until it was fully tested. ""It is up to the (Education) Department to say when the code is ready to go," she said, according to CNet News.

ACS has a large number of profitable contracts to provide software services with companies ranging from government agencies like the Pension Benefit Guaranty Corporation (PBGC) to companies as diverse as UnumProvident and Burger King.

The company's press kit boasts that, "It would be hard for you to go through a day without encountering the products or services of our many clients in communications, educationgovernment, healthcare, insurance, manufacturing, retail, travel, and transportation."

DOED officials said that there were no cases of identity theft reported from the data leak as of today, and that it would provide free credit monitoring for the affected users, to be paid for by ACS.

Neither the Direct Loan Servicing site or the main DOED site had any notices that borrowers may be vulnerable to identity theft as a result of the leak.

The Department of Education breach is far from the only example of potential identity fraud resulting from bad data practices in higher education. Student loan company Texas Guaranteed contracted data services out to third-party software company Hummingbird, which exposed the data of millions of borrowers when a contractor for the company misplaced a storage device containing the information.

Ohio University suffered multiple data breaches over the course of the past year, and was heavily criticized for not installing better network security or letting affected individuals know quickly enough.

Not to be outdone, many government agencies have suffered as a result of outsourcing data infrastructure work to third-party contractors. Unisys, a technology services firm performing insurance claim processing for the Veterans' Administration, had a desktop computer containing data on thousands of veterans stolen from its Reston, VA headquarters.

Government agencies have been rushing to lock down data weaknesses and provide stronger privacy protections across the board in the wake of the infamous theft of a laptop containing millions of personal records from the home of a VA analyst, often with mixed results and many problems left unsolved.