Stanford University has notified nearly 900 individuals that their personal and health information was accessed without authorisation after files containing the Economics Ph.D. program admission information were downloaded from its website between December 2022 and January 2023.
The university found that a folder containing the 2022-23 application files for admission to Stanford’s Department of Economics’ Ph.D. program was available through the department’s website because of a misconfiguration of the folder’s settings.
The information exposed as a result of this breach comprises application and accompanying materials, including names, dates of birth, home and mailing addresses, phone numbers, email addresses, race and ethnicity, citizenship, and gender. Some materials submitted during the Ph.D. application process also included applicants’ health information, although Social Security Numbers and financial data were not exposed.
Stanford immediately blocked access to the files once it found out about the accidental exposure. The university said that it found no evidence that the downloaded information has been misused, adding that “the confidentiality, privacy, and security of personal information are among our highest priorities, and we have security measures in place to protect this type of information.”
Following the incident, Stanford said it would be updating its processes and policies related to electronic file storage security and retraining faculty and staff on the policies.
This incident follows an April 2021 data breach disclosed after the Clop ransomware group leaked documents stolen from Stanford School of Medicine’s Accellion File Transfer Appliance (FTA) platform. Data published online by the Clop cybercrime gang after the 2021 attack included names, addresses, email addresses, Social Security numbers, and financial information.
Stanford University is among many other higher education institutions that have suffered data breaches in the past year, highlighting the need for institutions to take proactive steps in securing their systems and data. In the wake of the breach, the university urged the affected individuals to “remain vigilant for incidents of fraud and identity theft by regularly reviewing account statements and monitoring free credit reports.”
