University of Florida officials are trying to control the potential damage from a mistake that made the personal information of nearly 12,000 students available on the Internet.
The information includes student names, addresses, Social Security numbers and academic records such as grade averages.
The school's largest-ever privacy breach involves current and former students who were enrolled in the College of Liberal Arts and Sciences from 2003 to 2005, and who had contact with the Office for Academic Support and Institutional Service, known as OASIS.
The office identifies low-income and first-generation college students who might be expected to struggle in college and helps them with tutoring, counseling, course selection, time management, stress management and other services.
About 11,300 students will receive letters this week notifying them of the breach.
Officials uncovered the problem in May as part of a routine audit schedule put in place after a much smaller information breach in November.
An audit by the school's department of academic technology found that two OASIS student employees created online student accounts and uploaded them to an Internet server so they could work on the database from outside the office. But they failed to install security measures to keep others from viewing the records, officials said.
Since 2005, the site has been "dormant but accessible," said university spokesman Steve Orlando. "It was just sitting there."
The university removed the information immediately. It also conducted a forensic audit and found no evidence anyone outside OASIS accessed the site, Orlando said. "But we just can't say with 100 percent certainty that that didn't happen." The letter being sent this week says the risk of identity theft from the breach is extremely low.
Orlando could not immediately determine whether anyone had been disciplined in the case or whether any OASIS supervisors knew the student employees were creating online student accounts. The students have since left the university.
About 570 students affected by the breach were not sent letters because the university does not have their contact information. Students who think their records may have been exposed and do not receive letters should consult the school's privacy Web site, privacy.ufl.edu, or call toll-free 1-866-876-4472.