Shostack + Friends Blog Archive


Purdue University, 1351 applicants+students, SSNs, "unauthorized electronic access"

“Unauthorized electronic access”. Not sure if that’s a poorly configured web server, or what.
Press release today.
Happened in February.
Notices sent at some unspecified time.
Indiana only requires state agencies to disclose breaches, the law isn’t in effect yet, and the legislative and judicial departments aren’t considered state agencies.
Quoth “Mark Smith, head and professor of the School of Electrical and Computer Engineering” [wording from Purdue’s own press release]:

Removing Social Security numbers from all of the university’s business practices is an enormous and expensive process, but the university has mandated that every possible step be taken to solve this problem by the end of this calendar year.

Better late than never. Cue up the usual lecture about externalities.