Mar 13 2014

146,000 Indiana University Student Records Potentially Exposed

An unsecured server left student and faculty data accessible to web crawlers.

College may last for only four years, but university data lives forever.

Indiana University announced on Feb. 26 that the data for approximately 146,000 Indiana University students and recent graduates may have been “inadvertently exposed to automated webcrawling programs since last March.”

This breach comes on the heels of the University of Maryland data breach, which exposed more than 309,000 records. The Indiana University breach is different, in that there was no known malicious activity. The press release offers more details on how the vulnerability was discovered.

The university discovered late last week that the data had been stored in an insecure location for the past 11 months. The issue was discovered by a staff member of the university registrar’s office who accessed the files in question for internal use. The site was immediately locked down, and the information was moved to a secure location the following day.

It was determined that a change in the security protections for the site that housed the information, made in March 2013, inadvertently allowed the site to be accessed without the necessary authentication. A subsequent review of access logs late last week determined that the data in question had been downloaded only by the three automated webcrawling programs. The files in question were safeguarded to mask the nature of the data contained in them.

“This is not a case of a targeted attempt to obtain data for illegal purposes, and we believe the chance of sensitive data falling into the wrong hands as a result of this situation is remote,” said James Kennedy, associate vice president for financial aid and university student services and systems in the official press release. “At the same time, we have moved quickly to secure the data and are conducting a thorough investigation into our information handling process to ensure that this doesn’t happen again.”

Has news of these breaches at major universities made your college re-evaluate its IT security protocols?