There are so many data breaches and data leaks every day that potential class action lawsuits or announcements of law firm investigations of breaches seems somewhat de rigueur by now. But not all lawsuits stem from huge breaches. Here’s one that stems from a mistaken configuration that exposed student information for 24 hours. Reuters reports:
A Virginia county prosecutor on Friday filed a civil class action lawsuit against Georgetown University following a data breach at the Washington, D.C.-based school that it reported earlier this week.
The data breach exposed an unknown number of current and former Georgetown students’ personal information, including Social Security numbers, tax ID numbers, employee payroll, and other information about the school’s undergraduate and graduate students, plaintiff Mary Margaret Cleary alleged in her lawsuit.
This breach reportedly began with a misconfiguration error that allowed anyone with a student ID to access information that should have only been available to administrative personnel.
The private information of current and former Georgetown students’ was available for approximately 24 hours and was accessed by 29 current or recent students, the university’s chief information officer Doug Little said in a statement on Thursday.
The complaint, however, suggests that the university’s email notification may not have fully revealed the scope of information exposed or acquired by others. The complaint cites reporting by The Hoya that suggests more extensive exposure of personal information:
- For example, information The Hoya viewed in one spreadsheet included personal
information on students’ full names, tax IDs, dates of birth, genders, ethnicities, marital statuses,
disability statuses, immigration and visa statuses and religions.- Other spreadsheets reviewed by the The Hoya contained financial aid information
for students dating back to the 1990s, including comments university staff made on students’
financial aid reports related to financial aid amounts and details of family marital and medical
history. The data included specific details of students’ financial aid, such as how much aid they
had received from the university versus federal or other grants and how much of an unsubsidized
loan a student had taken out for a semester
Cleary, who is deputy commonwealth attorney for Culpeper County, does not appear to be claiming that she has suffered concrete harm, but rather that she is experiencing “anxiety and stress from concern that she faces an increased risk of financial fraud, identity theft, fraud and other types of monetary harm as a result of the stolen information.”
Whether the complaint in federal court will be dismissed for lack of Article III standing remains to be seen, but this lawsuit is a reminder that even a simple misconfiguration error that exposes personal information for 24 hours can result in litigation.