News

Thousands of records exposed in Stanford data breaches

Confidential data accessed via online file-sharing platforms

Personal employee information, confidential financial aid and student sexual-assault reports were exposed in three separate data breaches at Stanford, the university said in a press release Friday.

The incidents were due to "misconfigured permissions" on online file-sharing platforms used at the university, such as the Andrew File System (AFS) and Google Drive, according to Stanford.

In one breach, a file containing names, birthdates, Social Security numbers and salary information for nearly 10,000 non-teaching university employees from August 2008 was exposed on the Graduate School of Business' server. The file had been used for annual salary setting.

Last September, the folder's permissions were changed, making the file "inadvertently accessible" on the business school's shared drive, Stanford said. The file was exposed to the Graduate School of Business community for six months before it was locked and secured last March.

While the university has no "direct evidence" that personally identifiable information was accessed from this file, it is sending notification letters to all impacted employees and students who may have had personally identifiable information exposed. Stanford is also offering credit monitoring and fraud protection services and has set up a call center to take questions. (The center can be reached at 888-684-4998.)

What's local journalism worth to you?

Support Palo Alto Online for as little as $5/month.

Learn more

The Graduate School of Business reported another data exposure to the University Privacy Office on Oct. 27, after a business school student sent to the dean a report on patterns in the school's financial-aid history that drew from confidential data. Confidential financial aid files on a shared server maintained by the school were "accidentally made available" to the business school community starting last June, the university said. Other files on the same server were accessible starting last September. All files were secured by early March.

Yet the business school's information technology team has been aware of the potential breach since February, when it learned that a Graduate School of Business student had accessed confidential information on financial aid, according to the university.

"At that time, the GSB IT team recognized there was a permission problem and promptly secured all of the files on the drive. But they failed to understand the scope of the exposure and did not report it to the GSB dean or relevant university offices for further investigation," the release states.

An investigation of that exposure revealed the one that impacted thousands of employees.

In a third breach, which was discovered last month by a staff member at student newspaper the Stanford Daily, campus data on the "widely used" Andrew File Sharing platform was accessible to any AFS user, whether at Stanford or on other campuses.

Stay informed

Get daily headlines sent straight to your inbox.

Sign up

The Daily discovered publicly accessible files with unidentified sexual-assault reports Stanford collects under the federal Clery Act, as well as some emails to the then-Student Judicial Affairs office about student disciplinary cases, the university said. Most of the files were from 2005 to 2012.

The university "secured confidential AFS files within two hours of learning of the exposure, and promptly launched an intensive investigation," said Wendi Wright, Stanford's chief privacy officer.

Randy Livingston, vice president for business affairs, whose department includes oversight of University Information Technology and the Information Security and University Privacy offices, which have been investigating the breaches, called them "absolutely unacceptable."

"Our community expects that we will keep their personal information confidential and secure, and we have failed to do so," he said in the university release. "The proliferation of file-sharing platforms requires that everyone be vigilant in assuring that confidential information remains secure, old files are deleted and permissions are regularly reviewed."

Stanford's Information Security and University Privacy offices have been investigating the breaches and "continue to review file-sharing platforms campus-wide to assure appropriate access permissions are in place," Stanford said. The Information Security office is also working with IT teams across campus to "develop a comprehensive plan for addressing this problem broadly and sustainably across all file-sharing platforms in use at the university," Stanford said.

The university plans to put in place automated periodic permissions and file content scanning, regular manual reviews by content owners and an "awareness and training program."

The Information Security office also contacted file-sharing owners throughout the university to request they "urgently" review all file-sharing permissions. The university also contacted search engines, including Google, to assure there has been no exposure through cached web information.

Craving a new voice in Peninsula dining?

Sign up for the Peninsula Foodist newsletter.

Sign up now

Follow Palo Alto Online and the Palo Alto Weekly on Twitter @paloaltoweekly, Facebook and on Instagram @paloaltoonline for breaking news, local events, photos, videos and more.

Thousands of records exposed in Stanford data breaches

Confidential data accessed via online file-sharing platforms

by / Palo Alto Weekly

Uploaded: Fri, Dec 1, 2017, 9:00 am

Personal employee information, confidential financial aid and student sexual-assault reports were exposed in three separate data breaches at Stanford, the university said in a press release Friday.

The incidents were due to "misconfigured permissions" on online file-sharing platforms used at the university, such as the Andrew File System (AFS) and Google Drive, according to Stanford.

In one breach, a file containing names, birthdates, Social Security numbers and salary information for nearly 10,000 non-teaching university employees from August 2008 was exposed on the Graduate School of Business' server. The file had been used for annual salary setting.

Last September, the folder's permissions were changed, making the file "inadvertently accessible" on the business school's shared drive, Stanford said. The file was exposed to the Graduate School of Business community for six months before it was locked and secured last March.

While the university has no "direct evidence" that personally identifiable information was accessed from this file, it is sending notification letters to all impacted employees and students who may have had personally identifiable information exposed. Stanford is also offering credit monitoring and fraud protection services and has set up a call center to take questions. (The center can be reached at 888-684-4998.)

The Graduate School of Business reported another data exposure to the University Privacy Office on Oct. 27, after a business school student sent to the dean a report on patterns in the school's financial-aid history that drew from confidential data. Confidential financial aid files on a shared server maintained by the school were "accidentally made available" to the business school community starting last June, the university said. Other files on the same server were accessible starting last September. All files were secured by early March.

Yet the business school's information technology team has been aware of the potential breach since February, when it learned that a Graduate School of Business student had accessed confidential information on financial aid, according to the university.

"At that time, the GSB IT team recognized there was a permission problem and promptly secured all of the files on the drive. But they failed to understand the scope of the exposure and did not report it to the GSB dean or relevant university offices for further investigation," the release states.

An investigation of that exposure revealed the one that impacted thousands of employees.

In a third breach, which was discovered last month by a staff member at student newspaper the Stanford Daily, campus data on the "widely used" Andrew File Sharing platform was accessible to any AFS user, whether at Stanford or on other campuses.

The Daily discovered publicly accessible files with unidentified sexual-assault reports Stanford collects under the federal Clery Act, as well as some emails to the then-Student Judicial Affairs office about student disciplinary cases, the university said. Most of the files were from 2005 to 2012.

The university "secured confidential AFS files within two hours of learning of the exposure, and promptly launched an intensive investigation," said Wendi Wright, Stanford's chief privacy officer.

Randy Livingston, vice president for business affairs, whose department includes oversight of University Information Technology and the Information Security and University Privacy offices, which have been investigating the breaches, called them "absolutely unacceptable."

"Our community expects that we will keep their personal information confidential and secure, and we have failed to do so," he said in the university release. "The proliferation of file-sharing platforms requires that everyone be vigilant in assuring that confidential information remains secure, old files are deleted and permissions are regularly reviewed."

Stanford's Information Security and University Privacy offices have been investigating the breaches and "continue to review file-sharing platforms campus-wide to assure appropriate access permissions are in place," Stanford said. The Information Security office is also working with IT teams across campus to "develop a comprehensive plan for addressing this problem broadly and sustainably across all file-sharing platforms in use at the university," Stanford said.

The university plans to put in place automated periodic permissions and file content scanning, regular manual reviews by content owners and an "awareness and training program."

The Information Security office also contacted file-sharing owners throughout the university to request they "urgently" review all file-sharing permissions. The university also contacted search engines, including Google, to assure there has been no exposure through cached web information.

Comments

Midtown Resident
Midtown
on Dec 1, 2017 at 4:54 pm
Midtown Resident, Midtown
on Dec 1, 2017 at 4:54 pm
Like this comment

Ouch! Since there is so much scandal going around presently, perhaps the damage will be relatively unnoticed!


Exposed employee
Stanford
on Dec 1, 2017 at 6:59 pm
Exposed employee, Stanford
on Dec 1, 2017 at 6:59 pm
11 people like this

Sadly this could be the third time Stanford has exposed my personal information. Livingston needs go be held accountable for his continued mismanagement of IT.
Now that Livingston's laxidasical approach to security impacts Cleary Act records...action needs to be taken. He should not be allowed to pass the blame this time.


Red Teamer
Duveneck/St. Francis
on Dec 2, 2017 at 2:04 pm
Red Teamer, Duveneck/St. Francis
on Dec 2, 2017 at 2:04 pm
Like this comment

Organizations holding PII or other confidential data on their servers should employ a professional "Red Team" to attack these systems frequently to ferret out vulnerabilities. The Red Team can be trained on the system architecture but should otherwise be charged with carrying out attacks based on its own experience. In DARPA solicitations with a software reliability and cybersecurity aspect, there are often requirements for completely unrelated proposers to serve a similar role against the awardees developing the software deliverables.

Of course no single practice such as this is a "silver bullet" - it's another tool in the cybersec arsenal; perhaps Stanford has already implemented some form of this.


Jane
Stanford
on Dec 2, 2017 at 2:24 pm
Jane, Stanford
on Dec 2, 2017 at 2:24 pm
2 people like this

Any employee or student who thinks their records at Stanford are kept confidential is dreaming. Records sufficient for ID Theft are accessible to numerous staff, including student staff, all over campus. And that's authorized usage. Think about all the creepy students and staff you've met on campus. Would you be comfortable having them know your full name, DOB, SSN, home address, etc, And don't think you can just change your address, Stanford never eliminates addresses, they just add new ones.


Matt
another community
on Dec 3, 2017 at 6:33 pm
Matt, another community
on Dec 3, 2017 at 6:33 pm
4 people like this

This makes time number 2 for disclosing my personal data for Stanford. It amazes me that an institution in Silicon Valley can’t figure out how to protect MY personal information and yet hold me over the fire with threats of being fired if I disclose personal information. I think it’s time Stanford paid for a lifetime of credit monitoring and an additional penalty fee. Sometimes the only way to teach a lesson is with a good penalty.


Curmudgeon
Downtown North
on Dec 4, 2017 at 2:18 pm
Curmudgeon, Downtown North
on Dec 4, 2017 at 2:18 pm
Like this comment

Why don't people encrypt these things? So simple to do, so much safer.

C'mon, Stanford. You got a way vaunted CS department. Use it.

Or hire a bright sixth grader.


Don't miss out on the discussion!
Sign up to be notified of new comments on this topic.

Post a comment

Sorry, but further commenting on this topic has been closed.