The names, addresses and social security numbers of 146,000 IU students and graduates were left in a publicly accessible, non-password-protected online folder since early 2013.
Students from across the state – all seven IU campuses – were affected.
On Tuesday, IU officials reported the incident to the state Attorney General’s office.
Students had mixed reactions to the news.
“I’m actually very shocked that the information has been out there this long,” says IU student Katie Nordentoft.
“I do trust IU to be careful with my information, but yeah, all my internet access is over IU’s network,” Branden Neese echoes.
Naturally, with the incident comes comparisons. Target’s high-profile data breach in December affected millions of customers and had a significant impact on the retail giant’s business.
Target confirmed profits fell 40 percent after the announcement.
What’s A Web Crawler
Fortunately for IU, there are more differences than similarities to the Target breach.
Here’s a big one – hackers intentionally set out to obtain information from Target’s servers.
At IU, Associate Vice President for Public Safety Mark Bruhn says no humans saw the student files. Instead, automated programs called web crawlers accessed the data, which was encrypted.
“As these automated programs go from server to server, computer to computer, network to network, they’re looking things that – based on some criteria that the company has set – would be interesting to people doing the searches,” Bruhn says. “So it’s looking for webpages, it’s looking for all manner of things. And it does this on every internet address it finds.”
IU staff found web crawlers for three companies: Google, Baidu (the Chinese equivalent to Google), and a third company that had already gone out of business.
“At some point the folder the files were in had passwords. When the web crawler hits those and tries to access the files, it is asked for a password, and the web crawler doesn’t know the password, drops it, and goes on. In this case, the password at some point had been dropped,” Bruhn says. “And so the web crawlers were not asked for the password at some point, and so they were able to access the files and cache them.”
IU officials are blaming simple human error for the security breach – not a software or hardware glitch.
How Universities Can Better Protect Information
Karthik Ganesh, a software security consultant for Cigital, says data breaches are fairly common. There was one just last week at the University of Maryland that affected more than 300,000 faculty, staff and students.
“The organizations do their best to identify these vulnerabilities earlier and try to mitigate them. But even the most sophisticated software gets affected,” Ganesh says. “So the practice is to stay up-to-date and keep looking for security vulnerabilities and fix them as soon as possible.”
He says this incident could have been avoided if IU had conducted security testing periodically.
“Data needs to be handled securely,” he says. “Especially if it’s social security numbers and other sensitive details. Those details have to be stored securely and there should be proper authentication and authorization controls in place. Those pages shouldn’t be allowed to cache on the browsers.”
IU staff have since moved the records to a secure location, where they can’t be accessed without credentials. They’ve also submitted requests to Google and Baidu to remove the information from their databases.
Jim Kennedy, Associate Vice President for Student Services and Systems, says the university has launched an investigation.
“I think everything will be reviewed. It wasn’t really an overall [University Information Technology Services] issue, it was more of a departmental piece,” Kennedy says. “I think all options will be reviewed in the future to see what we can do.”
In the meantime, Indiana University has set up a call center and Frequently Asked Questions page with information for students about credit monitoring.
Notifications for students whose records were compromised went out Friday.