Indiana University today began notifying approximately 146,000 students and recent graduates from 2011 to 2014 that their names, addresses and Social Security numbers had inadvertently been exposed online (h/t DataBreaches.net).
"The information was not downloaded by an unauthorized individual looking for specific sensitive data, but rather was accessed by three automated computer data mining applications, called webcrawlers, used to improve Web search capabilities," the university said in a statement.
A staff member in the university registrar's office discovered last week that the data had been stored insecurely since March of 2013 -- a change in security protections for the server hosting the information had inadvertently made it accessible without authentication.
"This is not a case of a targeted attempt to obtain data for illegal purposes, and we believe the chance of sensitive data falling into the wrong hands as a result of this situation is remote," associate vice president for financial aid and university student services and systems James Kennedy said in a statement. "At the same time, we have moved quickly to secure the data and are conducting a thorough investigation into our information handling process to ensure that this doesn’t happen again."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
While no credit protection services are being offered to those affected, the university is advising all those affected to consider placing fraud alerts on their credit files.
A FAQ regarding the incident is available here, and students with questions are advised to contact (866) 254-1484.