Auburn University sign 2012.jpeg.JPG

Lyndsay Medlin, now a law student, received this letter from Auburn University notifying her that some of her personal information could have been exposed on the school's website. But, she didn't even apply to the university. (Submitted by Medlin)

A few days ago, North Carolina native Lyndsay Medlin received a letter stating some of her personal information may have been inadvertently accessible to the public on Auburn University's website.

Medlin, now studying at the University of Virginia School of Law, was confused because she never attended Auburn. She didn't even apply there. Neither did three of her classmates who also received letters.

"We didn't apply, we didn't send our SAT/ACT scores, we have nothing to do with Auburn, and we're angry," Medlin told AL.com

Auburn University confirmed on April 3 that a "data security incident" could have exposed an estimated 364,012 current, former and prospective students' personal information, including name, address and Social Security number on its website.

The university, however, didn't make it clear prospective students who didn't apply for admission to the institution could be victims.

"We have received inquiries from individuals wondering how their information was included in our IT system, because they did not attend or apply to Auburn," Auburn University spokesman Mike Clardy confirmed to AL.com. "We are doing our best to respond to these individual inquiries, but do not always have the detail available to give specific answers."

He said the estimated number of those affected released by the university last week does include current and former students and applicants and non-applicants, and the records spanned an unspecified range of years.

Auburn University said in a statement that it learned on March 2 that some records stored on one of the university's servers mistakenly became accessible online between Sept. 1, 2014, and March 2, 2015.

The records included: name, address, email address, birth date, Social Security number and academic information.

The university hasn't made it clear where the personal data may have been accessible on its website.

The exposure resulted from configuration issues with a new device installed to replace a broken server. After securing the server, the university says it implemented additional network security measures.

Anyone affected was notified by mail and offered two free years of credit monitoring and identity protection and restoration services.

"We have informed callers of the ways their information may have been included in our system, including information received from testing organizations," Clardy said. "Like most universities, we obtain information from the ACT and SAT organizations for recruitment purposes so we can send information to admissions prospects. This is separate from the records we also receive from the SAT and ACT as a part of admissions applications."

Medlin said she doesn't understand how the university received her personal information. The College Board and ACT "absolutely denied" sending her information to Auburn, she said.

"While I opted into a scholarships search program, Social Security numbers are not part of that," she said.

Medlin said Auburn won't confirm if they have her Social Security number and what may have been accessible on the website.

"(Auburn officials) haven't told me anything more than the official press release indicates which is why I'm baffled," she said. "They won't tell me anything."

Medlin said the university confirmed to her friend that his Social Security number may have been exposed.

A confidential assistance telephone line was set up to provide additional information about the incident, security tips and resources are being made available online.

Did you get a letter from Auburn University notifying you of data security incident, but didn't go to or apply to the school? Let us know. Send an email to eedgemon@al.com.