Data Breach At Louisiana Office of Student Financial Assistance

The Louisiana Office of Student Financial Assistance has waited a month to inform students that a disc containing their FAFSA information has been lost. The FAFSA includes information “generally used in identity theft like names and social security numbers,” according to Melanie Amrhein, director of the office. The disc had “added security measures” that she says makes it “unlikely” that anyone will decipher the data.

Maybe the disc has that new Sony Blu-ray DRM. Ohh, mean!

Anyhow, if you fall into any of the following categories, your data might have been compromised:

  • Anyone who has a Louisiana College Savings account (START Saving Program).

  • Any resident of the state of Louisiana who has completed a Free Application for Federal Student Aid (FAFSA).
  • Anyone who has completed a FAFSA and included a Louisiana postsecondary institution as an institution to which FAFSA data should be sent.
  • Anyone who has applied for or received a Tuition Opportunity Program for Students (TOPS) Scholarship.
  • Anyone who has applied for or who has received student financial aid in the State of Louisiana.

To see if your data is among the missing, click here.

Security of FAFSA, TOPS compromised [LSU Daily Reveille] (Thanks, Geoffrey!)


Edit Your Comment

  1. Schwartz says:

    From what I’ve heard on the local news, the breach wasn’t actually the fault of LSU, but that Iron Mountain lost the data. I noticed about a month ago that all of my Iron Mountain boxes that I’ve been getting back from them have big zip ties on the locks now, which have to be cut to get the boxes open. Makes me wonder if it’s related to them losing LSU’s data.

    And yes, we actually can use computers in Louisiana. Amazing, I know.

  2. Some things to think about:

    -LSU Football is far more important than this to the state capitol’s newspaper. Not a single mention of this in the Daily Advocate.

    -Waited a month to tell people? Par for the course in Louisiana govt.

    -“Added security measures” = password. Password is probably “tigers” or “lsu”.

  3. Nighthawke says:

    Oh dear God, their secure destruction/storage contractor dropped the ball. That has to really sting.
    Iron Mountain is a massive nationwide operation, with a secure storage vault that is in a mountain side.

  4. gacompguy says:

    From the site: “The data is compressed and requires special software, specific computer equipment and sophisticated computer skills to access it.”

    The data is compressed? So, that means they were able to get MORE on the tape! Correct me if I’m wrong, but wouldn’t someone with “sophisticated computer skills” probably have access to the equipment and software needed to pull the data off that tape (assuming it is a tape). If they are really using “special software,” why didn’t they turn on encryption?

  5. thirday413 says:

    @CaliforniaCajun: Sad but true.

    As a follow up, I found this link on LOFSA’s site that lets you know if your data was “potentially lost” (Not sure how that works; it either is or isn’t):


    I guess I won the lottery because my name is on the list! Woo hoo!

  6. Consumerist Moderator - ACAMBRAS says:

    I went to LSU. Since I finished grad school there 4 years ago (2003), I figured I probably wouldn’t be affected by the breach. But since I had filled out FAFSAs, I followed Meghann’s link to the LOSFA website. After submitting my last name, DOB, and the last 4 digits of my SSN, I was directed to a page saying that my name and SSN were included in the breached info. The page advised me to put a fraud alert on my credit report and gave the 800 #s for the 3 credit bureaus. I’ll let you guys know what, if anything, happens with this.

    It’s worth noting that until recently, LSU used SSNs as student numbers. IIRC, in 2002 they changed everyone’s student IDs so that the student number wasn’t the SSN. But LSU’s mainframe still used SSNs as student identifiers, so any time you had to do any business with the university (registration, academic counseling, etc), the first question asked was “What’s your social?” Boy, if a freshman didn’t know his SSN before going off to college, he had it memorized within the first week. I think they’ve finally changed over to new student numbers, but it’s only been very recently. Hell, even the Louisiana DMV figured out that SSNs shouldn’t be on driver’s licenses in the 1990s.

    Geaux Tigers.

  7. IndyJaws says:

    At our financial services company, whenever we transmit any borrower data, we’re required to use PGP (or similar) encryption. I can’t imagine LSU not using encryption as well (perhaps they meant encryption, not compression?).

  8. costanza007 says:

    Ok, it was in the Advocate (local Baton Rouge paper), and it was a contractor, Iron Mountain, not the state agency, and certainly not LSU who lost the backup media.

  9. thirday413 says:

    @Consumerist Moderator – ACAMBRAS: From the comments I’ve seen from affected students on the Reveille site it’s looking like students from 2000-2004 are the main group affected. Only time will tell. And yes, the new student numbers went into effect last year but weren’t enforced as the only acceptable number until this school year.

  10. Upsilon says:

    Well, if my identity has been stolen (which I don’t know, because my internet connections sucks at home), I’m just going to say “fuck this”, ditch my identity, and go pursue a job as a bounty hunter. I mean, that is way easier than trying to fix your credit and identity with various companies and the government, right?


  11. drjayphd says:

    Any proof Pokey Chatman wasn’t involved? Or does she just stick to shtupping her players?

  12. Consumerist Moderator - ACAMBRAS says:

    What, you couldn’t figure out a way to post such a silly and irrelevant comment on Deadspin, so you brought that crap here?

  13. drjayphd says:

    @Consumerist Moderator – ACAMBRAS: Sadly, no, I couldn’t. Now where’s that delete button… oh. Shit.