by

Data Breach at Indiana U. Exposes Information on 146,000 Students

Data stored in an insecure online location for nearly a year exposed personal information on 146,000 students and recent graduates of Indiana University, officials said on Tuesday. The lapse occurred in the registrar’s office when a data file was placed in the wrong folder; it was discovered by an employee last week.

There is no evidence that the university was the target of a cyberattack, said Bradley C. Wheeler, vice president for information technology and chief information officer for the eight-campus system. No servers or systems were hacked.

“What we do know is that a bot indexed them,” Mr. Wheeler said of the data. “We do know one bot downloaded some into a cache. We have no evidence that anything happened from the cache there. This is not like incidents where there is very good forensic evidence that a file was taken.”

The data included names, addresses, and Social Security numbers of students enrolled across the system from 2011 to 2014. No credit-card data were involved, Mr. Wheeler said. The university reported the exposure to the Indiana attorney general’s office on Tuesday. Affected students are being notified now, university officials said. A hotline and a website are being set up to answer questions, and to supply information on how to monitor credit accounts.

The incident at Indiana comes on the heels of a cyberattack last week at the University of Maryland in which personal information on more than 300,000 students and faculty and staff members was stolen. The perpetrators must have had a sophisticated understanding of the university’s multilayered cybersecurity infrastructure in order to breach the system, Brian D. Voss, vice president for information technology at Maryland, told The Washington Post.

Return to Top