Stanford University discloses data breach affecting PhD applicants

Stanford University disclosed a data breach after files containing Economics Ph.D. program admission information were downloaded from its website between December 2022 and January 2023.

Last week, the university sent data breach notification letters to 897 individuals who submitted personal and health information as part of the graduate application to its Department of Economics, informing them that their info was accessed without authorization.

"On January 24, 2023, Stanford was notified that a folder containing the 2022-23 application files for admission to Stanford's Department of Economics' Ph.D. program was available through the department's website because of a misconfiguration of the folder's settings," the university told affected individuals.

"We promptly investigated this matter, which revealed that the unrestricted access to the applications began on December 5, 2022, and that there were two downloads of the application materials between December 5, 2022, and January 24, 2023."

The information exposed as a result of this breach comprises application and accompanying materials, including names, dates of birth, home and mailing addresses, phone numbers, email addresses, race and ethnicity, citizenship, and gender.

"The incident does not involve programs at Stanford other than the PhD program in Economics. It also does not involve undergraduate applications to the university," the university said in a separate statement on its website.

Financial and social security info not exposed

Some materials submitted during the Ph.D. application process also included applicants' health information. Social Security Numbers and financial data were not exposed during the incident because application files did not contain this type of data.

Stanford immediately blocked access to the files once it found out about the accidental exposure. At the moment, the university said that it found no evidence that the downloaded information has been misused.

"The confidentiality, privacy, and security of personal information are among our highest priorities, and we have security measures in place to protect this type of information," Stanford added.

"In response to this incident, we are updating our processes and policies related to electronic file storage security and will be retraining faculty and staff on the policies."

This incident follows an April 2021 data breach disclosed after the Clop ransomware group leaked documents stolen from Stanford School of Medicine's Accellion File Transfer Appliance (FTA) platform.

Data published online by the Clop cybercrime gang after the 2021 attack included names, addresses, email addresses, Social Security numbers, and financial information.

A Stanford spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.