Lists of students by semester were put together by the Missouri State University College of Education in preparation for accreditation. The lists contained names and social security numbers of students who attended the college between 2005 and 2009. The lists were supposed to be available on secure servers only to college personnel working on the accreditation.
However, the lists of 6,030 students were posted in October and November 2010 on an unsecured server, the university admitted last week. As a result, the lists ended up on Google.
An individual contacted the university on Feb. 22 to report the data breach. The university said it worked with Google to remove all of the lists, which had a limited number of hits.
The university is offering to pay $7 per student for consumer identity theft protection for a total cost of $42,210. It also informed the Missouri Attorney General of the data breach, took disciplinary action against the employee who posted the lists on the unsecured server, and is working with all the college deans to ensure information security policies and processes are followed.
“It is very unfortunate that this breach occurred”, said Jeff Morrissey, a Missouri State spokesman. “We are taking this breach very seriously, and we hope these steps will prevent inappropriate use of the personal information that was compromised.”