This article is part of a continuing series by Daily Ridge News examining how Polk State College’s administration is addressing or has addressed a range of internal concerns and oversight issues.
By Carl Fish | Daily Ridge News
LAKE WALES, FL — Polk State College officials have confirmed that a group of “trained employees” temporarily had access to more personal data than intended during a system training session in May 2024. While the College acknowledges the exposure of sensitive records—including Social Security Numbers (SSNs)—it maintains that no data breach occurred and that no unauthorized access from outside the institution took place.
The confirmation comes after a series of inquiries from Daily Ridge News, prompted in part by concerns raised following a Lakeland Ledger article exploring tensions between the College’s Board of Trustees and its administration. Among the issues raised were questions about internal handling of SSNs and whether the College took adequate steps to notify individuals whose data may have been exposed.
Misconfigured Access in Banner System
According to College spokesperson Madison Fantozzi, the incident occurred during training on the College’s Ellucian Banner system. A program coordinator discovered that sensitive personal information, such as SSNs, was visible through the system’s SPAIDEN screen, the result of a misconfigured technical setting.
“It was determined that a small group of trained staff temporarily had access to more personal data than intended because of a technical configuration error,” Fantozzi said in an email.
The College responded by suspending access, pausing training, and adjusting user permissions to address the issue.
Student Records Also Affected
Documentation reviewed by Daily Ridge News confirms that the accessible information included both employee and student records. In one case, a staff member’s spouse—also a current student—had their personal information viewed during the training. The inclusion of student data raises specific compliance issues under the Family Educational Rights and Privacy Act (FERPA).
Despite the exposure, the College opted not to notify students or employees, citing the internal nature of the incident and the absence of evidence that the data was misused.
State Audits Flag Broader Issues
Concerns about Polk State’s data handling are not new. State audits, including Reports No. 2022-050 and 2025-067 by the Florida Auditor General, previously identified similar vulnerabilities:
Over 200 employees had access to student SSNs and other sensitive data in 2024. SSNs for approximately 148,000 prospective students—who never enrolled—were being retained indefinitely without a clearly defined public purpose. Commitments made by the College in 2021 to limit access and purge old data had not been fully implemented by 2024.
Click Link: 2022 State Auditor General Report
Click Link: 2025 State Auditor General Report
Deleted Emails and Retention Questions
As part of its response, the College acknowledged that a former employee emailed screenshots of SSNs to College officials when raising concerns about the training system. The employee was later instructed by the then–Vice President of Human Resources to delete the email to avoid the possibility of its release through a public records request.
Fantozzi said the deletion was consistent with state records retention rules and involved content that no longer held administrative value. Still, questions remain about whether those records should have been preserved due to their relevance to a possible data misconfiguration involving personally identifiable information (PII).
Whistleblower Claims Retaliation After Reporting
According to the former employee, real SSNs belonging to students and staff were visible during Banner training and system testing in 2024. He says he raised the alarm internally in May and believes that his non-renewal in June may have been linked to his attempt to report the exposure (none renewed contracts is a persistent theme after concerns are raised by faculty).
He also alleges that the training sessions used live institutional data—including home addresses and birthdates—instead of anonymized records. This practice, he says, contradicts standard cybersecurity and data privacy protocols followed by most colleges and universities.
Lack of Technical Oversight Alleged
The whistleblower, a veteran of higher education systems, says that the College’s Banner implementation team lacked proper expertise. Rather than relying on technical subject matter experts, he claims the administration selected individuals viewed as loyal to leadership—even if they lacked sufficient knowledge to configure the system securely. This, he says, contributed directly to the exposure of sensitive data during training.
While Polk State insists the matter has been addressed, it has not released detailed information about the scope of exposure, which individuals had access, or what internal assessments were conducted afterward.
College Says Improvements Are Underway
In response to the data concerns raised in both the training incident and state audits, Polk State says it has implemented a new ERP system that allows for the purging of outdated records. The College is also working with its Registrar’s Office to establish a plan for routine deletion of records older than five years and plans to decommission its legacy Genesis system by the end of fiscal year 2025.
Still, the College has not said whether any external regulatory agencies were contacted to review the incident. When asked, officials stated that because the exposure occurred internally and was identified by an authorized user during training, it did not qualify as a formal security breach.
Questions Still Linger
While Polk State maintains that the situation was handled appropriately and does not constitute a data breach, unanswered questions remain about the scope of internal access. The College has not disclosed how many individuals were part of the “small group” who viewed the data, what specific roles or departments required such access, or whether a formal review determined how much personal information was actually seen. With limited transparency surrounding these details, some uncertainty about the depth of the incident remains.
