Auburn University says it accidentally made the Social Security numbers of 364,012 people openly accessible online.
The information was available publicly from September until March 2, according to the university. It exposed names, physical addresses, birthdays, SSNs and academic information.
Auburn says it is “unaware of any attempted or actual misuse” of its students’ personal information.
Last week, the university in Alabama mailed out warning letters to current and former students nationwide — but also people who never even attended or applied to the university.
Auburn, like other universities, looks for suitable candidates by obtaining personal and academic data on students nationwide from the organizations that put together ACT and SAT college admission tests. Auburn had collected and kept information on the prospective students, spokesman Mike Clardy said.
It’s unclear why Auburn kept data on people who were not its students.
Clardy said the incident occurred “in the process of replacing a broken server.” The data was placed on another device, which was accidentally left accessible by anyone online. The university discovered the mistake on March 2 and immediately unplugged the machine.
Auburn joins the list of colleges that have lost their students’ data. Here’s a list from 2014 alone:
University of Maryland exposed SSNs and more for 300,000 students and employees,
North Dakota University lost data on 300,000 students to hackers,
Butler University lost 200,000 to hackers, and
Indiana University exposed information on 146,000 students.
The university’s letter to victims also repeats what’s become an all-too-familiar template for entities that lose client data: “We have taken steps following this incident to increase our data security measures and … the safety and security of your personal information remains a top priority for Auburn University.”
Auburn has hired the credit bureau Experian to monitor the identities of those affected by the breach.
If exposed to the public, the data Auburn made public normally appears on black markets, where identity thieves can buy packaged profiles.
It’s become so rampant that there’s a new epidemic: Hackers are stealing tax refunds.