Personal data including names, addresses and Social Security numbers of about 146,000 IU students and recent graduates is at risk for disclosure.
Staff members of the University registrar’s office discovered Feb. 21 that the personal data of students enrolled at seven IU campuses between 2011 and 2014 had been stored in an insecure location for the past 11 months.
IU spokesman Mark Land said the data was originally stored in the registrar system and used by student service representatives in the Office of the Registrar.
Land said the insecure data was a result of human error, not software error.
“The computer security is doing what it’s supposed to, it’s just that the information was unprotected,” he said.
Changes to the website made in March 2013 accidentally left files unencrypted, he said. Unencrypted files were moved to a secure server when the error was discovered last week.
“As soon as we realized something wasn’t right, we locked down and took steps to secure the data,” Land said.
No servers or systems were compromised, according to an IU press release, and no evidence suggests the information was downloaded by an unauthorized individual. It was accessed by automated computer data mining applications, or webcrawlers.
A webcrawler is programmed to browse the Web for the purpose of indexing. They are able to copy all the pages they visit so users can access information more easily.
Land said while the information was likely indexed by the web crawlers and put in a search engine’s cache, IU has no evidence that the files or cache have been accessed.
“Our IT folks, who are good at this sort of thing, are confident that the chances of any of it getting exposed is pretty low,” he said. “The reason we’re notifying people about the exposure is because we have no guarantee it hasn’t gotten out. But we have no evidence those files, that cache has been accessed.”
Students and recent graduates whose data was accessed by web crawlers will be notified by IU beginning this week, Land said.
James Kennedy is the associate vice president for financial aid and University student services, where the information was stored until last week.
He said the University has policies in effect to deal with data exposures, and a call center run by experts will be available to students with questions by Friday morning.
“This is not a case of a targeted attempt to obtain data for illegal purposes, and we believe the chance of sensitive data falling into the wrong hands as a result of this situation is remote,” Kennedy said. “At the same time, we have moved quickly to secure the data and are conducting a thorough investigation into our information handling process to ensure that this doesn’t happen again.”
In addition to notifying students potentially affected by the exposure, Kennedy said, the University will set up a call center to handle questions from anyone whose information was potentially placed at risk.
IU will supply the Social Security numbers and names of those potentially affected to all three major credit-reporting agencies. The Indiana attorney general’s office was notified of the data exposure as well.
The University has posted information online with guidelines on how to monitor one’s credit report to check for any unusual accounts that may have been created.
Land said as part of normal data security procedures, data are given file names and extensions that are meant to be meaningless to outside sources in order to obscure the files’ identity. He said to the best of the university’s knowledge and individuals would not be able to find the indexed data by searching for a student’s name.
“We take this very seriously,” Land said. “We apologize for any concern this causes people and we will get on this to make sure this sort of mistake doesn’t happen again.”
Matt Bloom contributed reporting.