Last March, a number of Auburn students, applicants and even nonapplicants to the University received a letter by mail notifying them of a data security incident that potentially exposed their personal information.
The University said in a statement that it was made aware on March 2 that some information stored on one of the University’s servers mistakenly became available online.
The incident, which leaked the names, addresses, email addresses, birth dates, Social Security number and academic information of 364,012 people, occurred when data was unintentionally stored on a system that was inappropriately configured, said Bliss Bailey, the interim chief information officer.
“It can be referred to as an unintended exposure,” Bailey said. “There was no hack, and no system was broken into. The archive server the Office of Enrollment had used for a number of years, successfully and securely, had failed. Physically, the hardware had failed, and they replaced that with a new server. However, the new server was not configured appropriately.”
The leak exposed the personal information of applicants and nonapplicants dating back to 2007 and potentially years prior to that. With nearly 10 years of information archived and eventually leaked, Bailey said the University is going through a process to determine how much data they should keep and for how long before getting rid of it.
Bailey said he believes the University holds onto data for such a long period of time because it helps with the recruiting and enrollment process but also feels there should be a point in which data should be removed from the system.
“If you want to know things about your enrollment trends or about graduation trends, the more data the better,” Bailey said. “So there is this tendency to hold onto data so you can have it available for analysis. Now what were learning is that data represents a liability, so we need to figure out how to summarize the data or keep it in a way so it gives us value from an analysis standpoint but we can reduce or eliminate the risk to hold onto that data.”
Gus Youmans, a student at the University of Georgia, applied to Auburn in 2011 and believes Auburn acted irresponsibly by holding onto his data after he decided not to enroll at the school.
“I feel like once I didn’t enroll in school there, they should have gotten rid of my information,” Youmans said. “If I hadn’t applied to Auburn and received that letter, I would refer to that as illegal considering I didn’t give them permission to have my personal information. Either way, they should have gotten rid of the data a year or two after they received it.”
However, according to Bailey, the University did not act illegally because they purchase the information from ACT and SAT for recruitment purposes. Any information the University has was made available by the student signing consent forms to give their information to universities through the testing process.
Since the incident, Bailey said the University has moved swiftly to ensure nothing like this will happen again. The first change the University made was reconfiguring the firewall to block access from the outside world accept to registered servers.
Perhaps the most substantial change the University has made is the implementation of a piece of software called Identity Finder, which helps scan desktops, laptops and servers for personally identifiable information such as Social Security numbers and credit cards.
“We know we store that data in secure locations because we need to,” Bailey said “Identity Finder helps us identify that data and eliminate it or make sure it gets moved to a secure location, and we're running that on every server on campus.”
While the leak put many identities at risk, the University said there’s no evidence anyone’s information was misused, and the letter and free identity monitoring were “out of an abundance of caution.”
Do you like this story? The Plainsman doesn't accept money from tuition or student fees, and we don't charge a subscription fee. But you can donate to support The Plainsman.
