The university had created lists of students who’d studied at the College of Education at MSU between 2005 and 2009 to submit for the accreditation approval, according to the March 3 article. The lists contained names and Social Security numbers, the university said.
Although the list was supposed to be uploaded to a secure server accessible only to university personnel as part of the accreditation process, it ended up on an insecure server, exposing it to the Google spiders indexing the Web, the university said. The MSU IT team is currently working with Google to remove all leaked lists from the search engines indexes, the university said.
Data breaches are a growing problem. The 2010 data breach report from Ponemon Institute found that the average cost of a data breach is approximately $7.2 million. That hefty price tag includes the cost of hiring a third-party security auditor with computer forensics knowledge to investigate what happened and fix the issue, notifying all the users and the state government, setting up a call center that can handle questions from worried victims, paying for credit monitoring services, lost productivity and sales as customers leave, Shaul said. In a heavily regulated industry, compliance fines can also increase the cost of the breach, he said.
I recall a similar incident affecting the Mesa County, Colorado Sheriff’s office accidentally posting a bunch of confidential data to a public webserver.
My question is: Why do these employees have access to publish to public webservers? Does MSU have their Intranet and Internet sites on the same physical server? That seems like a bad idea.