Personal employee information, confidential financial aid and student sexual-assault reports were exposed in three separate data breaches at Stanford, the university said in a press release Friday.
The incidents were due to "misconfigured permissions" on online file-sharing platforms used at the university, such as the Andrew File System (AFS) and Google Drive, according to Stanford.
In one breach, a file containing names, birthdates, Social Security numbers and salary information for nearly 10,000 non-teaching university employees from August 2008 was exposed on the Graduate School of Business' server. The file had been used for annual salary setting.
Last September, the folder's permissions were changed, making the file "inadvertently accessible" on the business school's shared drive, Stanford said. The file was exposed to the Graduate School of Business community for six months before it was locked and secured last March.
While the university has no "direct evidence" that personally identifiable information was accessed from this file, it is sending notification letters to all impacted employees and students who may have had personally identifiable information exposed. Stanford is also offering credit monitoring and fraud protection services and has set up a call center to take questions. (The center can be reached at 888-684-4998.)
The Graduate School of Business reported another data exposure to the University Privacy Office on Oct. 27, after a business school student sent to the dean a report on patterns in the school's financial-aid history that drew from confidential data. Confidential financial aid files on a shared server maintained by the school were "accidentally made available" to the business school community starting last June, the university said. Other files on the same server were accessible starting last September. All files were secured by early March.
Yet the business school's information technology team has been aware of the potential breach since February, when it learned that a Graduate School of Business student had accessed confidential information on financial aid, according to the university.
"At that time, the GSB IT team recognized there was a permission problem and promptly secured all of the files on the drive. But they failed to understand the scope of the exposure and did not report it to the GSB dean or relevant university offices for further investigation," the release states.
An investigation of that exposure revealed the one that impacted thousands of employees.
In a third breach, which was discovered last month by a staff member at student newspaper the Stanford Daily, campus data on the "widely used" Andrew File Sharing platform was accessible to any AFS user, whether at Stanford or on other campuses.
The Daily discovered publicly accessible files with unidentified sexual-assault reports Stanford collects under the federal Clery Act, as well as some emails to the then-Student Judicial Affairs office about student disciplinary cases, the university said. Most of the files were from 2005 to 2012.
The university "secured confidential AFS files within two hours of learning of the exposure, and promptly launched an intensive investigation," said Wendi Wright, Stanford's chief privacy officer.
Randy Livingston, vice president for business affairs, whose department includes oversight of University Information Technology and the Information Security and University Privacy offices, which have been investigating the breaches, called them "absolutely unacceptable."
"Our community expects that we will keep their personal information confidential and secure, and we have failed to do so," he said in the university release. "The proliferation of file-sharing platforms requires that everyone be vigilant in assuring that confidential information remains secure, old files are deleted and permissions are regularly reviewed."
Stanford's Information Security and University Privacy offices have been investigating the breaches and "continue to review file-sharing platforms campus-wide to assure appropriate access permissions are in place," Stanford said. The Information Security office is also working with IT teams across campus to "develop a comprehensive plan for addressing this problem broadly and sustainably across all file-sharing platforms in use at the university," Stanford said.
The university plans to put in place automated periodic permissions and file content scanning, regular manual reviews by content owners and an "awareness and training program."
The Information Security office also contacted file-sharing owners throughout the university to request they "urgently" review all file-sharing permissions. The university also contacted search engines, including Google, to assure there has been no exposure through cached web information.
Comments
Midtown
on Dec 1, 2017 at 4:54 pm
on Dec 1, 2017 at 4:54 pm
Ouch! Since there is so much scandal going around presently, perhaps the damage will be relatively unnoticed!
Stanford
on Dec 1, 2017 at 6:59 pm
on Dec 1, 2017 at 6:59 pm
Sadly this could be the third time Stanford has exposed my personal information. Livingston needs go be held accountable for his continued mismanagement of IT.
Now that Livingston's laxidasical approach to security impacts Cleary Act records...action needs to be taken. He should not be allowed to pass the blame this time.
Duveneck/St. Francis
on Dec 2, 2017 at 2:04 pm
on Dec 2, 2017 at 2:04 pm
Organizations holding PII or other confidential data on their servers should employ a professional "Red Team" to attack these systems frequently to ferret out vulnerabilities. The Red Team can be trained on the system architecture but should otherwise be charged with carrying out attacks based on its own experience. In DARPA solicitations with a software reliability and cybersecurity aspect, there are often requirements for completely unrelated proposers to serve a similar role against the awardees developing the software deliverables.
Of course no single practice such as this is a "silver bullet" - it's another tool in the cybersec arsenal; perhaps Stanford has already implemented some form of this.
Stanford
on Dec 2, 2017 at 2:24 pm
on Dec 2, 2017 at 2:24 pm
Any employee or student who thinks their records at Stanford are kept confidential is dreaming. Records sufficient for ID Theft are accessible to numerous staff, including student staff, all over campus. And that's authorized usage. Think about all the creepy students and staff you've met on campus. Would you be comfortable having them know your full name, DOB, SSN, home address, etc, And don't think you can just change your address, Stanford never eliminates addresses, they just add new ones.
another community
on Dec 3, 2017 at 6:33 pm
on Dec 3, 2017 at 6:33 pm
This makes time number 2 for disclosing my personal data for Stanford. It amazes me that an institution in Silicon Valley can’t figure out how to protect MY personal information and yet hold me over the fire with threats of being fired if I disclose personal information. I think it’s time Stanford paid for a lifetime of credit monitoring and an additional penalty fee. Sometimes the only way to teach a lesson is with a good penalty.
Downtown North
on Dec 4, 2017 at 2:18 pm
on Dec 4, 2017 at 2:18 pm
Why don't people encrypt these things? So simple to do, so much safer.
C'mon, Stanford. You got a way vaunted CS department. Use it.
Or hire a bright sixth grader.