Indiana University issued the following statement today:
Indiana University notified the Indiana attorney general’s office today of the potential exposure of personal data for some students and recent graduates.
The data potentially at risk for disclosure includes names, addresses and Social Security numbers for approximately 146,000 students and recent graduates across seven IU campuses who attended the university from 2011 to 2014.
Unlike recent high-profile data breaches, however, no servers or systems were compromised. The information was not downloaded by an unauthorized individual looking for specific sensitive data, but rather was accessed by three automated computer data mining applications, called webcrawlers, used to improve Web search capabilities.
Immediately upon discovering the potential issue, IU secured the data, and the university has no evidence that the files have been viewed or used for inappropriate or illegal purposes. As a precaution, however, the university will begin notifying all affected students of the possible data exposure this week.
“IU takes the security of all its data, especially the personal information of its students, extremely seriously and apologizes for any concern this issue may cause among our students and their families,” said John Applegate, executive vice president for university academic affairs. “The university also is committed to assisting those whose information was potentially exposed.”
In addition to notifying those affected by the potential exposure, IU is taking the following steps to minimize the potential impact of this incident:
- The university will set up a call center to handle questions from anyone whose information was potentially placed at risk as a result of this situation. That center will be operational no later than 8 a.m. EST on Friday, Feb. 28, at 866-254-1484.
- A website with information on how to monitor one’s credit accounts and with answers to other questions regarding the potential data exposure has been established at https://apps.usss.iu.edu/usss-data-exposure/faq.cfm.
- To assist with credit monitoring, IU will supply the Social Security numbers and names of those potentially affected to all three major credit-reporting agencies.
The university discovered late last week that the data had been stored in an insecure location for the past 11 months. The issue was discovered by a staff member of the university registrar’s office who accessed the files in question for internal use. The site was immediately locked down, and the information was moved to a secure location the following day.
It was determined that a change in the security protections for the site that housed the information, made in March 2013, inadvertently allowed the site to be accessed without the necessary authentication. A subsequent review of access logs late last week determined that the data in question had been downloaded only by the three automated webcrawling programs. The files in question were safeguarded to mask the nature of the data contained in them.
“This is not a case of a targeted attempt to obtain data for illegal purposes, and we believe the chance of sensitive data falling into the wrong hands as a result of this situation is remote,” said James Kennedy, associate vice president for financial aid and university student services and systems. “At the same time, we have moved quickly to secure the data and are conducting a thorough investigation into our information handling process to ensure that this doesn’t happen again.”