Loan company loses data on 1.3 million students

About 1.3 million customers of a Texas provider of student loans are at risk of ID fraud, after a contractor lost computer equipment with sensitive information on them.

The equipment, which was not identified, contains the names and Social Security numbers of the borrowers, the Texas Guaranteed Student Loan (TGSL) company said in a statement on Tuesday. The hardware was lost by an employee of Hummingbird, an enterprise software company hired to prepare a document management system, it said.

The information was prepared by the loan company in January for use by Hummingbird. The data was encrypted and password-protected but subsequently decrypted and stored on the now-lost hardware by the Hummingbird employee, TGSL said. However, the lost hardware does require a password for access.

Toronto-based Hummingbird said in a statement on Wednesday: "The data was protected through security measures, and given the technology that would be required to retrieve the data, Hummingbird believes that any misuse of the data is extremely unlikely."

The equipment was lost on 24 May, and TGSL was notified by Hummingbird two days later, according to the financial institution's statement.

The incident is the latest in a long string of data security breaches. Last month, data on 26.5 million US veterans was seized following the theft of hardware from the home of a government employee. Others who have lost such data include the Metropolitan State College in Denver; the US Department of Agriculture; and Los Angeles' Department of Social Services, according to the Privacy Rights Clearinghouse.

Identity theft continues to plague consumers, topping the list of fraud complaints reported to the Federal Trade Commission (FTC) last year. Consumers filed more than 255,000 ID theft reports to the FTC in 2005, accounting for more than one-third of all complaints, the agency said in January.

Texas Guaranteed Student Loan said it plans to notify by mail each individual affected by the breach. This notification will include recommendations on how to protect against identity fraud, the company said on its website.

Joris Evers writes for CNET News.com