The information of 897 people who applied to Stanford University’s Economics PhD program was unlawfully downloaded from its website, the university said in a data breach disclosure.
Stanford said its internal investigation revealed unrestricted access to a folder on one of its websites, via a misconfiguration, that allowed two downloads of the applicant’s information between Dec. 5, 2022, and Jan 24, 2023.
“On January 24, 2023, Stanford was notified that a folder containing the 2022-2023 application files for admission to Stanford’s Department of Economics’ Ph.D. program was available through the department’s website because of a misconfiguration of the folder’s settings,” Stanford explained.
The university also said it immediately restricted access to the folder, noting that it has seen no evidence of misuse so far.
“We have worked diligently to investigate this matter, determine how it occurred and the extent of its impact, and prepare notifications to those affected,” Stanford’s chief information security officer Amy Steagall said. “We also have been working with other departments in the university to confirm the security of similar information. Providing for the security and integrity of our information systems is a priority, and we work continually to safeguard the information entrusted to us.”
Although no financial data or evaluative comments were exposed, unauthorized individuals did manage to steal personal info belonging to applicants. This includes full names, date of birth, home and mailing addresses, phone number, email addresses, race and ethnicity, citizenship and gender.
The notification also mentions that materials submitted during the application, including transcripts, personal statements, resumes and letters of recommendation, were also up for grabs during the exposure timeframe.
"The incident does not involve programs at Stanford other than the PhD program in Economics. It also does not involve undergraduate applications to the university," the university added.
Following the incident, university officials said they will conduct a cross-department review of processes and policies regarding file storage security and conduct additional training for faculty and staff to ensure that similar incidents don’t happen again.
Educational institutions hold an assortment of personal information of staff and students. While this incident did not involve the exposure of SSNs or financial data, malicious individuals could still exploit the data to conduct targeted scams and phishing against victims.
Specialized identity protection solutions can help data breach victims circumvent risks that threaten their privacy, identity and money. Depending on your risk levels you can choose between Bitdefender’s Digital Identity Protection and Identity Theft Protection solutions.