San Diego State University has notified some of its current and former enrollees that some of their personal information may have been accessed by unauthorized users, after a database containing the information was found to be accessible by anyone on the affected department’s wired network.
The database in question belongs to the Pre-College Institute, a part of the school’s College of Education that promotes education in middle and high schools. In a letter sent to the Office of the Attorney General in California, SDSU’s CIO said that the school has no indications that the data was ever accessed by attackers or even unauthorized users or used for malicious purposes.
“The database was managed by the Pre-College Institute and contains your name, Social Security number, date of birth, address, and other personal information needed to provide pre-college students various services. You were or are enrolled in one of the Pre-College Institute programs. The database was intended to be used only by Pre-College Institute employees, but it was misconfigured to enable any computer connected to the SDSU wired network, with the program “FileMaker”, to open it. The SDSU wired network consists of offices, some labs and the library,” the letter from Chris Xanthos, associate vice president for Business Operations and CIO, says.
“SDSU takes its responsibility to protect your personal data very seriously, and we apologize for the misconfiguration of the database. Upon learning of this situation, the Pre-College Institute reconfigured the database to be available only to employees working at the Institute supporting the pre-college students.”
It’s not unusual to hear about a data breach that results from some form of misconfiguration or human error, especially in environments such as universities where the networks often are open by default. Colleges and universities are common targets for attackers, who know that the schools typically lean toward open networks and store the valuable personal information of tens of thousands of students, faculty and staff.
Many large universities have been the target of attackers in recent years, notably the University of Maryland, which suffered a major data breach earlier this year.
Image from Flickr photos of Monique Wingard.