Publication Date: November 24, 2003
Author: General Manager: FSA Schools Channel
Summary: Common Origination and Disbursement (COD) Web Site Security: Action Required.
Posted on 11-24-2003
To: All Destination Points
From: U.S. Department of Education
RE: Common Origination and Disbursement (COD) Web Site Security: Action Required
This is to inform you of a defect in the COD web site software that allowed internet browsers (i.e. Internet Explorer, Netscape Communicator) to store (or cache) on personal computer hard drives, data protected by the Federal Privacy Act, such as students names, SSN's, and home addresses. This "cache" stores a replica of a web page, including any personal student information, from the last time that page was viewed in a given day. For example, if the Person page was viewed 5 times in a day, the data from the fifth time is cached. To access cached pages, a person has to log on to the personal computer and have access to the specific folder (or directory) where the cached pages are stored. The defect was fixed in the COD application currently in production on Tuesday, November 18. This fix should prevent computers from storing web pages in a personal computer's cache. However, the fix will not delete pages currently cached on computers in your institution, which have been used to access personal information on the COD web site.
ALL INSTITUTIONS MUST TAKE IMMEDIATE ACTION TO DELETE ANY INFORMATION COVERED BY THE FEDERAL PRIVACY ACT WHICH CAME FROM THE COD WEB SITE AND IS STORED ON ANY COMPUTER OWNED OR UNDER THE CONTROL OF THE INSTITUTION. FAILURE TO TAKE PROMPT ACTION, AND LEAVING PRIVACY ACT INFORMATION UNSECURED ON THESE COMPUTERS, IS A VIOLATION OF YOUR INSTITUTION'S PROGRAM PARTICIPATION AGREEMENT WITH THE DEPARTMENT OF EDUCATION.
To clear the cache on computers using the Microsoft Internet Explorer software, take the following actions:
1. Start the Internet Explorer program.
2. Open the Tools --> Internet Options menu item
3. On the General tab(should be the tab displayed), click the "Delete Files" button
4. Select the "Delete all offline content" box on the pop-up window
5. Verify that all the files have been deleted.
a. To verify that all the files have been deleted, take the following
actions:
i. Open the Tools --> Internet Options menu item
ii. On the General tab (should be the tab displayed), click the "Settings" button
iii. Click the "View Files" button
iv. Verify that the only files left are any cookies from various site you may have visited
We realize that not all institutions use Microsoft Windows operating system software, or Microsoft Internet Explorer browser software. If your institution uses other products, it must take the all necessary actions to delete personal information from your institution's computer caches in accordance with how these products operate.
If you have questions about the matter, please contact the COD School Relations Center at 1-800-4PGRANT, or by email at CODSupport@acs-inc.com. Thank you for your immediate assistance in addressing this matter of vital importance to the privacy of your students.