Penn State University recently reported an incident to the New Hampshire Attorney General’s Office that involves a now-defunct club.
According to their report, the university was notified on April 13 that a historical document uploaded to the Undergraduate Law Society‘s web site was a spreadsheet that contained two fields – SSN and DOB – that were not visible on casual inspection, but could be “unhidden” in Excel. The records therefore exposed the SSN and DOB of 379 individuals. Upon notification, the university immediately took the site offline while they investigated.
According to the university’s investigation, the file had last been modified in 2006. There was no evidence that the data had been discovered or misused by unauthorized individuals. Because the club was now defunct, the university made the 379 notifications, offering those affected one year of credit monitoring and protection services.
They do not explain why the web site of a defunct organization was still online.
PSU notes that although it has no responsibility for what clubs post on their web sites, in response to this incident, they have started working more closely with student organizations about the importance of protecting personal information, and are encouraging organizations to use the Identity Finder software to locate and then remove personal information.