Western Connecticut State University officials began alerting almost 234,000 students, their families and prospective students culled from purchased lists that their personal information was exposed due to a database vulnerability.
The records do not appear to have been inappropriately accessed, officials said. The information in the unpatched database was collected over 13 years and exposed from April 2009 until September 29, 2012. The university’s president immediately launched a campuswide investigation to determine what happened and remediate security vulnerabilities across the campus network.
The school did not disclose in detail how the vulnerability was discovered.
“The exposed data involved people connected to the university and includes names, addresses, social security numbers, and/or financial account information provided in association with transactions with the university,” according to the school’s Web site. “The information was gathered in several ways, including when prospective students applied to the university, when they or their guardians filled out financial aid forms, or when the university purchased lists of items like SAT scores. The vulnerable information goes back to 1999.”
The school patched the vulnerability and enhanced its security posture to prevent further exposure. It also is offering victims two years of free identity protection services through a contract with credit monitor AllClear ID.
“We are disappointed that the potential existed to have these records exposed but we will do everything we can to protect our students, their families and others with whom we have worked,” WCSU President James W. Schmotter said in a news release. “The steps we are taking and the solutions we are offering to every one of those affected are designed to address any problems this situation may have caused.”