Nancy Newark, a Boston lawyer, just wanted to change the phone number listed on the federal government website where she manages her student loans.
But when she clicked ``update" on Monday night, she saw someone else's Social Security number, date of birth, and other personal information. She clicked three more times, each time, getting a new person's information -- and enough of it, she said, to commit identity theft.
``How many opportunities were there for how many individuals to be provided with my information?" Newark asked.
A federal Department of Education official said yesterday that a routine software upgrade made Sunday night introduced a bug into the system that mixed up the data of different borrowers.
He said the problem affected only people who accessed their online accounts between Sunday night and yesterday morning and who tried to use certain parts of the website. A department spokeswoman said 6.4 million people have outstanding loans in the program, known as federal direct student loans, but she said she did not know how many people use the online account system. (Other types of student loans are managed separately through private companies.)
Hudson La Force , senior counselor to the secretary of education, said four borrowers had called the department to complain since Sunday night.
He said he did not know how many people's information was compromised, but said ``we think the effect is pretty limited."
``We take the protection of people's data very, very seriously," said La Force, who said the Department of Education had been investing more money this year in protecting data both physically and electronically.
``I think everybody in the federal government has gotten more focused on this issue over the last few months," in light of several security breaches in government and private industry, he said. ``Even one incident is one incident too many."
Officials believes that the users who saw each other's personal information were trying to do the exact same thing on the website at the exact same time, he said. He wasn't sure what other functions besides the update button might have been affected.
On Monday, after a borrower called to report a problem, the department turned off the part of the system that it believed to be affected by the bug, La Force said, but later discovered other parts of the system were also malfunctioning -- and turned those off as well.
La Force said the affected functions will not be turned back on until the department is sure the problem is solved; he said he didn't know how long that would take.
A spokesman for
But ``if it does, ACS will correct it and work with authorities to prosecute," said Joe Barrett.
Newark, a 38-year-old partner with the law firm Burns & Levinson, said she has been repaying loans she took out for both her undergraduate education at Boston University and law school at the University of Minnesota.
She said she checks the direct loan website regularly to make sure her payments have been processed. Around 10 p.m. Monday night, she logged on to update her phone number.
The first time she clicked on ``update" she saw the name, Social Security number, date of birth, address, phone number, and e-mail address of a person in Iowa, she said.
Newark hit the back button on her browser and then update again. This time she saw a Social Security number but no name. She signed off and back on again two more times.
Both times, when she pressed update she saw the information of yet another person.
``I have not heard of anything quite so bizarre" as Newark's experience, said Beth Givens, director of the Privacy Rights Clearinghouse.
The organization is a California-based nonprofit that estimates that nearly 91 million records involving sensitive personal information have been involved in security breaches since February 2005.
News of various types of privacy breaches has been common in the last two years.
Earlier this month, America Online briefly released a list of 20 million web search queries.
In May, a Veterans Affairs laptop containing personal data on millions of veterans and military personnel was stolen.
In March, a Fidelity Investments laptop with information on 196,000 customers was stolen.
And in January, the Boston Globe and Worcester Telegram & Gazette inadvertently distributed credit and bank card information with bundles of newspapers for up to 240,000 subscribers.
The problem has also hit higher education before.
Both Tufts University and Boston College warned some alumni last year that data may have been stolen from outside companies that manage fund-raising activities.
Marcella Bombardieri can be reached at bombardieri@ globe.com.