Sensitive information about Eastern Kentucky University faculty, staff and student workers was inadvertently posted to the internet last September and remained there for a year.
How many victims? 5,054.
What type of personal information? Names and Social Security numbers.
What happened? The file was inadvertently posted on Sept. 29, 2008 by an EKU staff member who was responsible for collecting data. The person violated EKU’s information security policies, which state that unencrypted confidential personal data must not be stored on a computer that is not in a physically secured location. The file was discovered by an EKU employee who was conducting a Google search, and was taken down on Sept. 18, 2009.
Details: The file contained information about individuals on EKU’s payroll during the 2007 to 2008 academic year.
What was the response? Letters were sent to affected individuals. A webpage and hotline were established to provide information about the breach. In addition, EKU is taking on a data inventory initiative and conducting a review of policies and practices regarding the security of confidential data.
Source: http://www.ecert.eku.edu/faq.php, Eastern Kentucky University Computing Emergency Response Team, “September 2009 Data Exposure Incident FAQ.”