Amy Renee Leiker reports a follow-up to a breach previously reported on this site:
A December data breach that jeopardized the personal information of thousands of current and former Wichita State University students — some of whom attended the school decades ago — is now the subject of a federal lawsuit.
Michael Bahnmaier of Wichita is seeking class action status in the lawsuit, which accuses the university of negligence in keeping and storing sensitive data, waiting too long to alert potential victims about the hack, and “knowingly and deliberately” enriching itself by not paying for security measures that would have guarded against the breach.
Read more on The Wichita Eagle.
A number of the claims are the standard claims we see in breach suits, but the one I am most interested in is the one alleging negligence for storing unencrypted old data with SSN and other identity information on a server. It is a question I have raised in other breach reports, i.e., “What was that data even doing on a server connected to the internet at this point?” Leiker reports:
“WSU sat on the information for four months (total), and it had no explanation for why it was keeping unsecured data on a server for 20 or more years,” Bahnmaier’s attorney, Bill Federman of Oklahoma City-based firm Federman and Sherwood, said in a phone interview with The Eagle.
“Forget about the gold standard of security. This isn’t even the bronze.”