Data stored in an insecure online location for nearly a year exposed personal information on 146,000 students and recent graduates of Indiana University, officials said on Tuesday. The lapse occurred in the registrar’s office when a data file was placed in the wrong folder; it was discovered by an employee last week.
There is no evidence that the university was the target of a cyberattack, said Bradley C. Wheeler, vice president for information technology and chief information officer for the eight-campus system. No servers or systems were hacked.
“What we do know is that a bot indexed them,” Mr. Wheeler said of the data. “We do know one bot downloaded some into a cache. We have no evidence that anything happened from the cache there. This is not like incidents where there is very good forensic evidence that a file was taken.”
The data included names, addresses, and Social Security numbers of students enrolled across the system from 2011 to 2014. No credit-card data were involved, Mr. Wheeler said. The university reported the exposure to the Indiana attorney general’s office on Tuesday. Affected students are being notified now, university officials said. A hotline and a website are being set up to answer questions, and to supply information on how to monitor credit accounts.
The incident at Indiana comes on the heels of a cyberattack last week at the University of Maryland in which personal information on more than 300,000 students and faculty and staff members was stolen. The perpetrators must have had a sophisticated understanding of the university’s multilayered cybersecurity infrastructure in order to breach the system, Brian D. Voss, vice president for information technology at Maryland, told The Washington Post.