The university said in a earlier this week that it has fixed both problems, one of which lasted three months and the other more than a decade.
It blamed a system misconfiguration and incorrect access settings for the exposures, which also involved names and addresses of people who had done transactions with the university.
"The university has no reason to believe that any information from either of these incidents was inappropriately accessed or that information was used for identity theft or other crime," it said.
The problems were discovered by university staff. State and federal regulatory and law enforcement agencies have been contacted, the university said. It encouraged people who are concerned to place a free fraud alert with the major credit rating agencies and report fraudulent activity to the police and the university.