Indiana University notified Indiana’s attorney general’s office this week of the exposure of approximately 146,000 records. These records included PII such as name, address, and Social Security numbers of students across 7 campuses, who attended from 2011-2014.
However, this instance is different from what we have with other recent exposures. In this case no servers were hacked, no systems were compromised, and there was no unauthorized download of anything. The data exposed was actually discovered by a web crawler, which was on the site for indexing purposes.
The university was quick to act and upon discovering the mistake they quickly rounded up the data and put it onto a secure server, until it could safely be transferred back. They also started the process of notifying students who may be impacted and notified the attorney general.
They have also set up additional resources for students such as a call center to handle questions, a website with information on how to monitor your credit accounts, and an FAQ. To also better assist in the process, the university took it upon themselves to share the names and SSN’s of those affected with the 3 major credit-reporting agencies, to make that process easier for the students should it reach that level.
Unlike other breaches we have seen recently, Indiana University did an excellent job in their response to the exposure. They had a plan and they executed it immediately. There are many others out there that should use this as an example of what needs to be done not just in the event of a breach, but even when there is only the potential for one.