Oh, ouch. Any breach notification is less than happy news, but this one is pretty embarrassing for Stanford University:
I am writing to provide you formal written notice of a possible data breach involving your personal information. We believe that personal information that you provided to the Graduate School of Business prior to traveling with the university between 1995 and 2002 was accessible to faculty, staff and students at the Graduate School of Business from 2000 through early December 2017. On behalf of Stanford University, please accept our sincere apology.
What Happened
On October 27, 2017, the University Privacy Office (“UPO”) received a report that several folders with confidential information on a shared file server maintained by the Graduate School of Business (“GSB”) were accessible to GSB faculty, staff and students. The GSB IT team became aware of the incorrect folder permissions on February 23, 2017, however, because GSB did not appreciate the scope of the exposure there was a delay in informing the UPO.
That was from one of two forms of their notification letter, copies of which were submitted to the California Attorney General’s site today. The other one began:
I am writing to provide you formal written notice of a possible data breach involving your personal information. We believe that personal information that you provided to the Graduate School of Business prior to traveling with or on behalf of the university between 2008 and 2011 was accessible to faculty, staff and students at the Graduate School of Business from 2014 through early December 2017. On behalf of Stanford University, please accept our sincere apology.
While the exposure time for that one was not as long as for the first group, this one was associated with PII that included passport numbers, visa numbers, and health insurance information, including plan name, group number, and member number.
The number of individuals affected by these exposure incidents was not indicated in their notification letters. The university is offering those affected monitoring and credit restoration services.