Personal student information is leaked at STLCC

By Joshua Phelps
The Scene staff

St. Louis Community College announced this month that personal information for 362 students was sent to other students in an email attachment.

The information included names, email addresses, student-identification numbers and home addresses.

“The disclosure was discovered when students contacted the college to inquire,” according to a districtwide email on March 1. “Upon discovery of the breach, the college immediately located and deleted from STLCC email systems the email containing the attachment.”

Separate notices went out to the 362 students directly affected by the security breach.

Tolson

“We followed all protocols as soon as we found out and let students know what had happened and offered them a number to call and folks to help them answer those questions,” said Kedra Tolson, STLCC’s executive director for marketing and communications.

The college also reported the breach to the U.S. Department of Education inspector general and the department’s Family Policy Compliance Office, Tolson said.

The college will require all faculty and staff to be re-trained in Family Educational Rights and Privacy Act (FERPA) within 30 days of the breach, the email stated.

The deadline is April 1, Tolson said.

“As soon as we found out about it, we went to work right away in trying to make sure that faculty and staff had the opportunity to retrain in FERPA,” she said.

Tolson and Vice Chancellor of Student Affairs Anthony Cruz declined to reveal who was responsible for the breach or the circumstances under which it occurred, citing an ongoing investigation and privacy concerns.

Cruz

“That’s something that’s a personnel matter, and I really can’t speak about it,” Cruz said.

In the past few weeks, some of the 362 affected students have reached out to the college with questions.

“I think a lot of them wanted confirmation on what information was sent out,” Cruz said. “Some students were concerned that it was their Social Security numbers, birthdates or other information that was included.”

That information was not included in the breach, he said.

Cruz noted that release of student identification numbers, also known as A numbers, is not a FERPA violation.

But the college is taking extra steps to verify student identities and strengthen protocols for when students use their A numbers, he said.

“What we’ve done is put some extra precautions in place.”