Nearly 146,000 former and current students of Indiana University may have had personal information – including Social Security numbers – exposed after three web indexing bots known as web crawlers accessed the data from an unsecured site.
How many victims? 145,966.
What type of personal information? Names, addresses, birth dates and Social Security numbers, as well as enrollment and degree information.
What happened? Three web crawlers – bots that browse the internet for web indexing purposes – accessed the data from an insecure site.
What was the response? Indiana University took the site down immediately and the data was moved to a secure location. The university is notifying all impacted individuals. An investigation is ongoing. The university is enhancing security to ensure a similar incident does not occur.
Details: The issue was discovered “last week” by a staff member of the Indiana University registrar's office. The site that contained the information – comprised of students who attended all Indiana University campuses from 2011 to 2014 – was able to be accessed without authentication due to a change in security protections made in March 2013. After reviewing access logs, the university learned that the unsecured site was accessed by the three web crawlers.
Quote: “This is not a case of a targeted attempt to obtain data for illegal purposes, and we believe the chance of sensitive data falling into the wrong hands as a result of this situation is remote,” James Kennedy, associate vice president for financial aid and university student services and systems, said.
Source: news.iu.edu, “Indiana University reports potential data exposure,” Feb. 25, 2014