Notre Dame employees' data exposed online for three years

Personal information on 24,000 staff posted on the Web from August 2006 to October 2009

In an embarrassing security gaffe, personal data on more than 24,000 past and present employees at the University of Notre Dame was made publicly available on the Web for more than three years.

The breach resulted when an employee inadvertently posted files containing the names, Social Security numbers and zip codes of the employees on a publicly accessible university Web site.

Files containing the data are believed to have been posted on the site in August 2006 and remained there until this October this year when they were finally discovered and reported to university officials.

The files have since been removed and secured and there is no evidence that the information has been inappropriately used, said Dennis Brown, Notre Dame's assistant vice president for news and information.

Included in the list of those affected by the breach are a "large number" of on-call and temporary employees, Brown said. All of those affected by the breach have been notified and the university has offered to pay for credit monitoring services, he said.

Notre Dame last suffered a data breach in January 2006, when unknown intruders broke into a server and accessed records belonging to an undisclosed number of individuals.

This is the second time this week that an organization has found itself in the news over an inadvertent data leak. On Sunday, a blogger discovered online a sensitive security manual containing detailed information on the screening procedures used by Transportation Security Administration agents at U.S. airports.

The document was supposed to have been redacted before it was posted on a government Web site, but wasn't.

As with the Notre Dame incident, the document was quickly removed once the lapse was reported but not before numerous copies of the document were posted at sites all over the Internet.

Though data breaches involving external hackers get most of the attention, inadvertent data exposures such as these latest examples are not all that uncommon. This June, a 267-page document listing all U.S. civilian nuclear sites, along with descriptions of their assets and activities, became available on whistleblower site Wikileaks.org days after a government Web site publicly posted the data by accident.

The sensitive, but unclassified, data had been compiled as part of a report being prepared by the federal government for the International Atomic Energy Agency (IAEA).

In another incident in October 2007, a student at Western Oregon University discovered a file containing personal data on student grades after it had been accidentally posted on a publicly accessible university server by an employee.

Numerous others breaches, including at government agencies, have also inadvertently leaked confidential and sensitive data over file-sharing networks.

FREE Computerworld Insider Guide: Five IT certifications that won’t break you
Join the discussion
Be the first to comment on this article. Our Commenting Policies