There was a data breach at Dominican University this weekend. Dominican University is located in Chicago and the data breach here affected over 5,000 current students and alumni from 2003, 2005, and 2007. First reported (to me anyway), here, it appears the problem was due to the misuse of access granted to part-time work-study students who were able to access Excel spreadsheets from previous years. What’s sad to me is that the university took no real action despite the problem being their own fault. They simply “encouraged affected individuals to place fraud alerts on their accounts”. I bet they wish they had Lifelock. Anyway, I think it’s pretty despicable that Dominican takes no real accountability for their error–most companies at least provide some sort of identity protection service for a year following a significant problem like this.

Dominican issued this statement:

“Dominican University takes information security very seriously. In April, we discovered that two student workers had accessed Excel files containing limited student data by misusing passwords related to their work-study employment. We notified all affected parties in writing, set up a toll-free hotline, and have worked closely with both the local police and states attorney’s offices.

The students went through a full university judicial process, were suspended temporarily and have been barred from future campus employment, among other sanctions. The university is conducting a complete security audit and internal review.

At this time we have no reason to believe that any information has been misused, but retain the right to prosecute as necessary.”

Hello! DO something. Yeah, it’s great that you’re notifying the affected individuals and their families but shouldn’t you actually do something other than suspend the students? What I really would like to know is how malicious the intent was to use this data. Did they just have access to it? Were they trying to use it? Did they just find it because they were seeing what all their passwords would let them into? Those would be the questions I would want answered if I were one of the affected individuals.