Security breach strikes student loan site

The US Department of Education (DoE) has disabled the online payment feature for its Federal Student Aid site, following a security breach that could affect up to 21,000 borrowers.

Federal Student Aid recipients who between Sunday and Tuesday accessed one of six web pages on the DoE site may have had their personal information exposed to others, said a spokeswoman for software company Affiliated Computer Services (ACS). The company created the technology for the Direct Loan Servicing feature on the DoE's site.

A person who logged on or tried to access parts of the site at the same time as another user may have viewed sensitive information entered by the previous person, such as name, Social Security number and birth date, said the spokeswoman.

She said: "A fix went in on Tuesday morning, and we think it's been fixed. But we're doing more testing, and until there is 100 per cent certainty, the [payment and account] functionality has been taken offline. It is up to the Education Department to say when the code is ready to go."

The spokeswoman did not have any estimates for when the Department of Education would reinstitute the payment and account functions on its site.

DoE officials said the agency has identified all the affected users and will notify them that their information may have been compromised. But, as of Thursday afternoon, there was no notice on the department's Direct Loan Servicing website informing users their security may have been breached.

A US House of Representatives committee bill that was approved earlier this year calls for businesses to alert customers when a security breach occurs, including posting notices on their websites. But the Data Accountability and Trust Act, which still requires approval from Congress before becoming law, would not have the same requirements for federal agencies.

Problems with the Federal Student Aid website began on Sunday when ACS launched a software upgrade that was designed to make the web-based interface easier to use and more secure.

But the company received four calls during a 12-hour period, informing it of problems with the site, said the spokeswoman. "That led us to investigate and pull those sections offline so the problem would not replicate itself," she said. "We take information security very seriously."

No reports of identity theft have arisen, and ACS is monitoring the situation, she added. ACS is reviewing accounts for any abnormal activity and is paying for credit-monitoring services for affected borrowers for up to a year.

Some other agencies that cater to borrowers of student loans have experienced similar security breaches. Earlier this year, the Texas Guaranteed Student Loan company said up to 1.3 million borrowers were at risk of ID theft after computer equipment loaded with sensitive student loan information was lost.

Dawn Kawamoto writes for CNET News.com