washingtonpost.com
Lenders Misusing Student Database
Improper Searches Raise Privacy Fears

By Amit R. Paley
Washington Post Staff Writer
Sunday, April 15, 2007

Some lending companies with access to a national database that contains confidential information on tens of millions of student borrowers have repeatedly searched it in ways that violate federal rules, raising alarms about data mining and abuse of privacy, government and university officials said.

The improper searching has grown so pervasive that officials said the Education Department is considering a temporary shutdown of the government-run database to review access policies and tighten security. Some worry that businesses are trolling for marketing data they can use to bombard students with mass mailings or other solicitations.

Students' Social Security numbers, e-mail addresses, phone numbers, birth dates and sensitive financial information such as loan balances are in the database, which contains 60 million student records and is covered by federal privacy laws. "We are just in shock that student data could be compromised like this," said Nancy Hoover, director of financial aid at Denison University in Ohio.

Education Department spokeswoman Katherine McLane said the agency has spent more than $650,000 since 2003 to safeguard the database. The department has blocked thousands of users that it deemed unqualified for access after security reviews, McLane said, and it has blocked 246 users from the student loan industry for inappropriately accessing the data.

In general, the department allows lenders to search records in the database only if they have a student's permission or a financial relationship with the student.

The department has been "vigilant in its monitoring for unauthorized uses" of the database, McLane said.

Concerns about possible abuses of the database are emerging as the student loan industry is under investigation by congressional Democrats and the New York attorney general. Critics say the $85 billion-a-year industry has cozied up to government and university officials who are in a position to help lenders.

This month, a previously obscure Education Department official named Matteo Fontana was suspended after the revelation that he owned more than $100,000 worth of stock in a student loan company while he worked in a unit that helped oversee the industry -- and the student loan database. The stock holding raised questions about a possible violation of conflict-of-interest rules.

The database, known as the National Student Loan Data System, was created in 1993 to help determine whether students are eligible for student aid and to assist in collecting loan payments. About 29,000 university financial aid administrators and 7,500 loan company employees have access to it.

In a recent meeting with university financial aid directors, Theresa S. Shaw, chief operating officer of the department's Office of Federal Student Aid, which manages the database, said lenders have been mining it for student data with increasing frequency, according to three participants at the meeting. In the department's hierarchy, Shaw ranks above Fontana.

"She said the data mining had gotten out of control, and they were trying to tone it down," said Eileen K. O'Leary, director of student aid and finance at Stonehill College in Massachusetts, who was at the Feb. 26 session. "They'd seen the mining for a few years, but now they felt it had grown exponentially."

The department first started noticing a problem in mid-2003 when loan consolidation became more popular, according to an agency official who spoke on condition of anonymity because of the sensitivity of the matter. As companies began to aggressively look for low-risk borrowers to target for consolidation plans, they turned to the database for prospective customers, the official said.

Database users can view only one student record at a time, and the department can monitor each time they view an entry. "When we see them go in and out very quickly, that's when it raises flags" about data mining, the official said. Such abuse would violate department rules.

Officials grew so concerned that in April 2005, the department sent out a letter to database users warning that inappropriate use of the system -- in other words, looking for information without authorization -- could cause their access to be revoked. The letter said the agency was "specifically troubled" that lenders were giving unauthorized users -- such as marketing firms, collection agencies and loan brokerage firms -- the ability to access the database.

"Information may not be used for any other purpose, including the marketing of student loans or other products," wrote Fontana, then general manager of a unit in the department that oversaw the lending industry.

In August 2005, Cathy H. Lewis, the department's assistant inspector general, echoed those concerns in a memo to Shaw that warned of security problems with the database and the lack of regular audit trails on the system.

Through a spokeswoman, Shaw declined to comment. Fontana did not return telephone calls.

After the warnings, inappropriate usage of the system seemed to decline, according to the department official who requested anonymity. But several months ago, top managers learned that the practice had resumed -- "a pattern that's very alarming," the official said.

Some senior education officials are advocating a temporary shutdown of access to the database until tighter security measures can be put in place, the official said. McLane confirmed that such deliberations are taking place.

It is not certain that the lenders that inappropriately used the database used information from it to market directly to students. Credit bureaus, for instance, also hold personal information on borrowers that can be used to solicit customers.

But department officials believe lenders are probably using the database for marketing, according to three current and former agency employees who spoke on condition of anonymity for fear of retribution. Some university financial aid administrators suspect loan companies are probably targeting students in the database who take out loans directly with the government, known as direct loans.

"The database is being misused by the industry to raid the direct loan portfolio," said Craig Munier, director of scholarships and financial aid at the University of Nebraska at Lincoln, who was at the meeting with Shaw. "It's certainly a misuse of the intended purpose of the information and was certainly not what we intended in the higher education community when we built" the database.

Some financial aid directors say abuse of the database would explain why some students who have taken out loans only directly with the government are deluged by up to a half-dozen solicitations a day from private loan companies.

"Our students are being inundated with marketing from consolidation companies," said O'Leary, of Stonehill College. "How else are the consolidation companies getting our students' information?"

Some financial aid administrators hope inquiries into the student loan industry will extend to the possible abuse of the database.

"We are hoping that a full congressional investigation can happen," said Hoover, the Denison aid director, who also met with Shaw. "And maybe then we will find out what's really happening."

View all comments that have been posted about this article.

© 2007 The Washington Post Company