The problem was uncovered when a University of Arizona student found her private information on a public computer server, Cathy Bates, the university’s information security officer, told the Arizona Daily Star.
The personal data, which included names, social security numbers, and tax ID numbers of those who received payments or reimbursements from the university, were contained in a set of files that was transferred to a new university financial system. The school mistakenly thought the files contained only public information, so the server was set up for public access, Bates said.
An investigation conducted by the university confirmed that unauthorized individuals accessed the personal data. The university has taken steps to prevent a recurrence and is offering a free year of credit monitoring to those affected. Letters informing affected individuals were sent in May, Bates explained.
According to Arizona law, if an investigation into a data breach "results in a determination that there has been a breach in the security system, the person shall notify the individuals affected. The notice shall be made in the most expedient manner possible and without unreasonable delay."