David Karas reports:
Officials at The College of New Jersey this week reported an unintentional data breach in the On-Campus Student Employment System, an in-house system designed to store information about students applying for on-campus jobs.
According to a notice sent to students and faculty Monday, a vulnerability in the system was identified Nov. 2 by a student who applied for a position and accidentally viewed the personal information of 12 other students. The student reported the incident, officials said, and the system flaw was repaired within hours.
“Though there is no indication that any of the additional 12,815 records contained in the system were accessed by any unauthorized individual,” the statement read, “the possibility exists that the database could have been accessed through this vulnerability.”
Read more on NJ.com
“No indication… but the possibility exists?” Do they have logs going back far enough or don’t they? The State Police “has not found any evidence that data had been extracted from the system” (to date) is reassuring, but only if there are sufficient logs and the data weren’t indexed by a search engine.
So for how long did this vulnerability exist? Since 2002, when the system was built, or is this a more recent vulnerability?
And were these records indexed by Google?
There’s more information that we need to know to assess the risk of this incident, including what kinds of information were in the database.
In April 2010, the college also experienced an exposure breach, but that one involved an alumni database.