Personal employee information, confidential financial aid and student sexual-assault reports were exposed in three separate data breaches at Stanford, the university said in a press release Friday.
The incidents were due to "misconfigured permissions" on online file-sharing platforms used at the university, such as the Andrew File System (AFS) and Google Drive, according to Stanford.
In one breach, a file containing names, birthdates, Social Security numbers and salary information for nearly 10,000 non-teaching university employees from August 2008 was exposed on the Graduate School of Business' server. The file had been used for annual salary setting.
Last September, the folder's permissions were changed, making the file "inadvertently accessible" on the business school's shared drive, Stanford said. The file was exposed to the Graduate School of Business community for six months before it was locked and secured last March.
While the university has no "direct evidence" that personally identifiable information was accessed from this file, it is sending notification letters to all impacted employees and students who may have had personally identifiable information exposed. Stanford is also offering credit monitoring and fraud protection services and has set up a call center to take questions. (The center can be reached at 888-684-4998.)
The Graduate School of Business reported another data exposure to the University Privacy Office on Oct. 27, after a business school student sent to the dean a report on patterns in the school's financial-aid history that drew from confidential data. Confidential financial aid files on a shared server maintained by the school were "accidentally made available" to the business school community starting last June, the university said. Other files on the same server were accessible starting last September. All files were secured by early March.
Yet the business school's information technology team has been aware of the potential breach since February, when it learned that a Graduate School of Business student had accessed confidential information on financial aid, according to the university.
"At that time, the GSB IT team recognized there was a permission problem and promptly secured all of the files on the drive. But they failed to understand the scope of the exposure and did not report it to the GSB dean or relevant university offices for further investigation," the release states.
An investigation of that exposure revealed the one that impacted thousands of employees.
In a third breach, which was discovered last month by a staff member at student newspaper the Stanford Daily, campus data on the "widely used" Andrew File Sharing platform was accessible to any AFS user, whether at Stanford or on other campuses.
The Daily discovered publicly accessible files with unidentified sexual-assault reports Stanford collects under the federal Clery Act, as well as some emails to the then-Student Judicial Affairs office about student disciplinary cases, the university said. Most of the files were from 2005 to 2012.
The university "secured confidential AFS files within two hours of learning of the exposure, and promptly launched an intensive investigation," said Wendi Wright, Stanford's chief privacy officer.
Randy Livingston, vice president for business affairs, whose department includes oversight of University Information Technology and the Information Security and University Privacy offices, which have been investigating the breaches, called them "absolutely unacceptable."
"Our community expects that we will keep their personal information confidential and secure, and we have failed to do so," he said in the university release. "The proliferation of file-sharing platforms requires that everyone be vigilant in assuring that confidential information remains secure, old files are deleted and permissions are regularly reviewed."
Stanford's Information Security and University Privacy offices have been investigating the breaches and "continue to review file-sharing platforms campus-wide to assure appropriate access permissions are in place," Stanford said. The Information Security office is also working with IT teams across campus to "develop a comprehensive plan for addressing this problem broadly and sustainably across all file-sharing platforms in use at the university," Stanford said.
The university plans to put in place automated periodic permissions and file content scanning, regular manual reviews by content owners and an "awareness and training program."
The Information Security office also contacted file-sharing owners throughout the university to request they "urgently" review all file-sharing permissions. The university also contacted search engines, including Google, to assure there has been no exposure through cached web information.