Officials at Indiana University have concluded that a 2006 phishing attack
against university members was made possible by an earlier breach of one of the university's main servers. This all came to light when one recipient of a phishing email -- a cybersecurity Ph.D. student -- wondered how an attacker could get his university email address, since he had never given it out to anyone. After requesting documents under the Indiana Public Records Act, the student discovered that the university had previously suffered an undisclosed breach, which is how the attacker obtained his information. This simple story underlines some important points. It shows that breaches aren't harmless; even if the stolen data isn't immediately used for direct fraud, it's likely to be used in other ways down the road. If stolen data can help a phisher do a better job of personalizing an email to make it look more legitimate, then that stolen data has value. The case also demonstrates the importance of disclosure. People whose data is lost need to be aware of it so that they can be on guard for fraud. When we hear about massive losses of data, such as the incidents at the Veterans Administration
or TJ Maxx
, it's easy to get lost in the staggering numbers and think of it all as an abstraction. But this incident shows, along with others before it
, that breaches do have real consequences for the victims.