University leaves student data exposed for 11 months


The names, addresses, and Social Security numbers of 146,000 students and recent graduates of Indiana University (IU) may have been exposed after the data was kept in an insecure location for nearly a year.

indiana-university-data-breach“This is not a case of a targeted attempt to obtain data for illegal purposes, and we believe the chance of sensitive data falling into the wrong hands as a result of this situation is remote,” said James Kennedy, associate vice president for financial aid and university student services and systems at IU, in an announcement.

The data breach was found last week by an employee in the university’s registrar’s office.

The data, which concerns students who attended the university’s seven campuses between 2011 and 2014, was not accessed by any “unauthorized individual looking for specific sensitive data,” the university said.

It was, however, accessed by three data mining internet bots, called webcrawlers, used for web indexing on the search engines Google, Scirus, and Baidu.

IU moved the data to a secure location and notified the state’s attorney general. Students and graduates were alerted of the issue late Tuesday.

Do you have a cloudy view of today’s data centers?

People whose data was accessed by the webcrawlers will be notified this week.

The university launched a website offering information on how to monitor credit accounts, and it will also establish a call center by Friday to field questions from anyone whose data was exposed.

Some students and graduates expressed frustration that IU waited until this week to alert students of the breach.

“Let me get this straight,” one recent graduate wrote on Facebook Tuesday. “IU goes crazy with notifications any time there is severe weather or any sort of crime on campus, but has yet to notify students that over 140,000 files including SSNs were breached?”

Jeff LaFave, a 2013 graduate who now lives in Bloomington, Ind., where IU’s main campus is located, said he was not angry about the lag in communication.

But he has heard grumblings from IU students there, many of whom received the news through the student newspaper after walking to campus in 15-degree weather Wednesday morning.

“It’s understandable that the administration wants, and uses, extra time to make the right chess move in a game called public relations, but the average 21-year-old on-campus student that trudges through snow and faces a giant student loan bill isn’t going to take any such news with patience,” LaFave said.

IU’s announcement comes less than one week after a massive breach at the university’s future Big Ten conference-mate the University of Maryland. That exposure of more than 300,000 records was the result of a targeted and sophisticated attack.

Keeping sensitive student data under wraps has been a struggle in higher education.

More than 3 million records were compromised in data security breaches at colleges and universities last year, accounting for ten percent of all data breaches in the United States.

Higher education networks are 300 percent more likely to contain malware than their enterprise and government counterparts, according to OpenDNS, an internet security company.

“IU takes the security of all its data, especially the personal information of its students, extremely seriously and apologizes for any concern this issue may cause among our students and their families,”  John Applegate, executive vice president for  academic affairs at IU, said. “The university also is committed to assisting those whose information was potentially exposed.”

Follow Jake New on Twitter at @eCN_Jake.

Sign up for our newsletter

Newsletter: Innovations in K12 Education
By submitting your information, you agree to our Terms & Conditions and Privacy Policy.

Latest posts by Jake New (see all)