Raleigh, N.C. — More than 60,000 people who contribute to NC 529 college savings plans have had some of their personal information inadvertently revealed on a third-party website.
Two large data files available on the website of a Forsyth County tech company listed the names, addresses, and ages of tens of thousands of people who contributed to NC 529s, along with the name of the child who is the beneficiary of each account.
The files did not contain birth dates, Social Security numbers, any bank or financial information or any passwords or identifiers for the College Foundation of North Carolina site.
The North Carolina State Educational Assistance Authority oversees the plans, and Director Steve Brooks was informed of the problem Tuesday evening by WRAL News.
Brooks said the problem apparently occurred during the development of the group's new NC 529 scholarship drawing – a promotion designed to encourage contributions to 529 plans.
"The good news is our servers were never compromised. Nobody got access to anyone's account, nor did they get access to any financial information," Brooks said. "We don't have any reason to believe anyone is at risk for identity theft."
"It's a really unfortunate occurrence," Brooks added.
NCSEAA was working with Cassels, Caywood and Love, a Winston-Salem marketing company – Brooks says they've worked with the firm for 20 years – and some of the programming work was outsourced to ThinkVents and a related firm, Inner Eye.
According to Brooks, ThinkVents and Inner Eye were working on the scholarship contest website. The contractor provided them with files of names and addresses of current NC 529 account holders so that those people would automatically be entered into the drawing.
The data files were on the subcontractor's staging server and should have been removed after the development stage but were not, he said. The downloadable files were apparently available for at least two weeks.
"It shouldn’t have ever been in a place where it was accessible on the web, but it was," Brooks said, "It's our responsibility that it was out there."
ThinkVents owner Robert Chapman did not respond to a message from WRAL News late Tuesday, but someone at the firm removed the information from the website shortly after receiving an.inquiry.
The data that was exposed doesn’t legally constitute a breach of privacy under state or federal law, Brooks said, but NCSEAA will still notify all account holders Wednesday by email, alerting them to the issue.