Sharon Gaudin reports in InformationWeek on a little problem at the US Department of Education: seems they forgot to test a software upgrade before deploying it on their website. Well, I suppose it’s no big deal…well, except to the 21,000 people whose personal information was exposed on the web for several days. Those people may not be too happy.
From the article:
A glitch caused by the deployment of a software upgrade at the department affected the part of the Web site that handles federal student loans. Between Sunday night and Tuesday, when borrowers went online to either make a loan payment or update their personal information, they were shown sensitive information about other borrowers when they clicked on “update.”
The glitch revealed people’s names, loan balances, birth dates, addresses, telephone numbers, and Social Security numbers, says department spokeswoman Jane Glickman.
“We’re very upset about this,” she adds.
Affiliated Computer Services, the Dallas-based IT outsourcer that installs and maintains the agency’s programs, installed a software upgrade on Sunday. A problem with the upgrade caused the Web site to reveal the wrong user’s data to the person submitting information online, according to Glickman.
[Howard Schmidt, the former White House security adviser and now president and CEO of R&H Security Consulting] also says basic testing of the software before it was installed on a live system would have taken care of the problem. “Before you go live with a system, you normally do the testing in a closed simulated environment,” he says. “That would have revealed the flaw before it occurred. You don’t skip the test because of what could conceivably happen.”
Okay, let me get this straight: you hired an outsourcing firm to develop software, the firm didn’t test their code, users were put at risk for identity theft, and your response is “We’re very upset about this.” I stand back in wide-eyed amazement and disbelief.