Government employees have been caught stealing students’ personal information to apply for loans, credit cards and set up new cell phone accounts,Daily Mail Online has learned.
Reports on breaches of staff conduct inside the Department of Education shows how workers stole social security numbers from a database while a man was fired for trying to look up President Barack Obama’s student loan records.
Cyber security campaigners warned that the failure to protect sensitive information because of ‘bureaucratic incompetence’ is just the ‘tip of the iceberg’.
Insiders involved in illicit breaches are often overlooked, simply because the public think hackers and cybercriminals are more often to blame, they said.
Lee Tien, senior staff attorney and Adams Chair for Internet Rights at the Electronic Frontier Foundation, told the Daily Mail Online ‘insiders are frequently part of the breach story’.
He added that entities – especially the government – need to uphold their duty to safeguard other people’s personal information.
Berin Szoka, the president of Tech Freedom, insisted some of the privacy issues come from within the government.
‘As usual, the real privacy problem is government. Big Brother surveillance at the NSA is bad enough,’ he told the Daily Mail Online.
‘But bureaucratic incompetence can be far bigger problem. Failing to protect sensitive student loan data is just the tip of the iceberg of poor data security inside government.’
According to the documents – obtained by the Daily Mail Online through a Freedom of Information Act request – a number of government employees set up an illicit scheme to steal students’ information.
One woman created a bogus Department of Education account to access the National Student Loan Data System to aid her criminal plot.
While accessing the records, she would extract information from individual accounts.
She swapped around the last four digits of her SSN with those of another during the scheme, and set up the fake identity to apply for credit cards, personal loans and set up a Sprint cell phone account.
An internal investigation within the department found she went into the database 24 times between 2006 and 2009 to retrieve the information.
Just 24 hours after searching through the database on one occasion in 2009, the documents revealed she applied for a personal loan.
The unidentified employee was arrested and charged in 2011 for stealing more than $500 using the stolen details.
One of the documents related to her case reads: ‘It appears [the employee] did not have a business reason to run either name in the National Student Loan Data System (NSLDS).’
After pleading guilty, she was sentenced to 18 months in jail with a 17-month suspended sentence. However, according to the documents, the employee only served a month in prison and was then given authorized work by a judge.
It’s not known what happened to the other staff members involved in the scheme.
In 2011, a man violated department protocols by trying to access ‘Barrack [sic] Obama’s student loans records. According to the documents he consistently spelled the president’s name wrong – using two ‘r’s.
The employee involved was not prosecuted, but lost his job after departmental staff also discovered he had misused his government-issued travel card.
It is not clear why he tried to access the records as Obama has made the majority of his financial history public knowledge.
He paid off his student loans in in 2004 while he was in the Illinois State Senate. He took out $42,753 in loans to pay for his Harvard Law School tuition while Michelle applied for $40,762 in loans for her Harvard Law education.
The couple carried their debt for 25 years, but the president is believed to have paid it off using $1.9million worth of royalties from his book, Dreams of My Father. It was reissued and became a best seller after his speech at the Democratic convention in 2004.
A third Department of Education employee was investigated in 2014 for using his government email to promote his own business at the taxpayers’ expense. Some of the documents involved have been heavily redacted.
The analysis revealed there were approximately 166 calls totaling 616 minutes or approximately 10 hours of calls during on-duty hours. His calls cost the government approximately $478.36 based on his hourly salary.
He admitted that he shouldn’t have used government equipment – including a scanner, printer, phone and email – for his own personal gain, but it’s not clear what type of business he was operating or whether he was punished.
Another part of the document trove described the investigation into Joseph Butler, a veteran department employee from Clarkstown, Georgia, who accessed child pornography for years.
According to reports he was able to filter his computer activity and get around filtering software preventing government staff from visiting illicit websites.
More than 70 disturbing images were founded embedded in several Microsoft Word documents that were then saved to his government computer.
His Internet browsing history also revealed he had searched for child nudity and pornography.
Butler used his computer to download images onto CD-ROMs, which federal agents found during a search of his home in July 2011. Agents also found graphic stories Butler had written about children.
He is currently serving a 10-year prison sentence. When he is released he will have to sign up to the sex offenders register and completed five years of supervision.
The Department of Education did not comment on the revelations.
However a report in 2015 addressing ‘management challenges’ highlighted ‘repeated problems in IT security and noted increasing threats and vulnerabilities to the Department’s systems and data.’
The document said more steps needed to be taken to make sure federal employees did not breach the database.
One of the factors considered was a two-step authorization process – but it is yet to be implemented.
In September 2013 the Office of the Inspector General – who oversee the Department’s management – warned officials there were weaknesses led to ‘unauthorized accesses to private information.’