Western Connecticut State notifies 235k over database gaffe

Share this article:

A database server, containing personal information of hundreds of thousands of people affiliated with Western Connecticut State University in Danbury, Conn., was publicly accessible for nearly 3 1/2 years.

How many victims? 235,000 students, former students, parents, faculty, staff and individuals who sent their SAT scores to the college, but never attended. The vulnerable records date back to 1999.

What type of personal information? Names, Social Security numbers, addresses, email addresses, phone numbers and, in some cases, grades.

What happened? Configuration controls on a general database at the university were incorrectly set, which could have allowed an outsider to remotely access the data contained within. The misconfiguration was discovered during routine maintenance. It had existed from April 2009 to September of this year.

What was the response? Victims were notified by mail. As well, the university set up a searchable database to learn if one was impacted. In addition to fixing the vulnerability, the school plans to implement additional security measures and begin expunging unneeded data.

"We've started to purge that type of information after a certain amount of time," spokesman Paul Steinmetz told SCMagazine.com on Friday. "We were just saving information that was of no longer any use to us in our servers that we should have been routinely cleaning out."

He admitted that some people, such as those who asked their high school to submit their SAT scores to Western Connecticut State but never enrolled there, will be surprised to learn that their Social Security numbers were potentially exposed.

"They'll have no idea why they are getting this notification [from us]," Steinmetz said.

Details: The college's IT staff, according to Steinmetz, don't believe any of the data was improperly accessed.

"The feeling is, among our IT people, that it would have been difficult to put all the parts together to get in, and secondly, we don't see any information that anything was taken," he said.

Source: News release, "WCSU identifies database vulnerability, provides solution," Nov. 29, 2012.
Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in The Data Breach Blog

Sign up to our newsletters

RECENT COMMENTS

FOLLOW US

More in The Data Breach Blog

About 60K transactions possibly affected in Cape May-Lewes Ferry breach

The security of card processing systems relating to food, beverage and retail sales at the Cape May-Lewes Ferry was compromised and payment card data may be at risk.

Arkansas State University-Beebe is investigating a potential breach

Arkansas State University-Beebe is notifying students and employees of a service running on one of its servers that could pose a potential breach to the system.

Unencrypted discs missing, Arizona State Retirement System notifies 44,000

Arizona State Retirement System notifies nearly 44,000 individuals enrolled in dental plans that two unencrypted discs containing their personal information are missing.