When a borrower was online late last Sunday or early on Monday, his personal information -- including name, Social Security number, birth date and address -- could have been exposed to another user who was also signed on at the same time and doing the exact same step, Glickman said.

The cause of the problem was a routine software upgrade by the vendor, Dallas-based Affiliated Computer Services Inc. (ACS), she said. The program had a coding error, and six Web pages were affected, she said.

ACS could not be reached for comment Friday.

"The identified Web pages have been disabled and are not going back online until we are 100% satisfied that this problem will not happen again," Glickman said. "The U.S. Department of Education takes the safeguarding of our users' personal information very, very seriously, and any compromise of users data is one incident too many."

Glickman said the number of borrowers possibly affected was less than one-half of 1% of its 6.4 million users. She said there have been no reports of identity theft. Borrowers who were online between Sunday night and Tuesday morning have all been identified and will be notified, she said.