There it is. Information ending up in the hands of people that should not have it. And reading up, if personal data could be ex-filtrated from the hack, that's bad. I guess there could be other bits and pieces of info, perhaps even a copy of an ID or so? Thing is you can keep your data secure, but you have to supply data to some other parties, the University in this case. Do they keep it secure? No. So much data floating about, not only internationally, but also locally. A hackers wet dream. How many numpties re-use passwords?
Given enough bits and pieces of information on a party, I could become that party virtually speaking, none of his assistance required. So if I want to become MagicDude4Eva, I do not target MagicDude4Eva with phishing and social engineering as he'd be too savvy. No, I target his providers. Mission accomplished and hello, my name is MagicDude4Eva.