Stanford, Rutgers Data Breaches Expose Employee and Student Info

Social Security numbers and salary information for nearly 10,000 Stanford employees were accessible for six months due to a misconfiguration of permissions.
Published: December 4, 2017

Data breaches have been discovered at both Stanford University and Rutgers University, exposing personal records of thousands of faculty members and students.

At Stanford, a misconfiguration of permissions on file-sharing platforms is to blame for several data breaches.

A student staff member of the Stanford Daily discovered a data breach and reported it to campus privacy authorities on November 9. The student was able to access unidentified sexual assault reports which were being collected under the Clery Act from 2005 to 2012.

The data was stored on the Andrew Filed Sharing platform and was accessible to any AFS user, including those outside of Stanford, according to Stanford News.

——Article Continues Below——

Get the latest industry news and research delivered directly to your inbox.

“We greatly appreciate the Stanford Daily’s responsible handling of the confidential information and for their prompt reporting to the university,” says Wendi Wright, Stanford’s chief privacy officer. “We were able to secure confidential AFS files within two hours of learning of the exposure and promptly launched an intensive investigation. In addition, we have urgently reached out to all managers of shared file servers to review access permissions and to delete old files.”

While the University Privacy Office and the Graduate School of Business IT teams investigated the November 9 exposure, they discovered a file on November 21 which contained names, birthdates, Social Security numbers and salary information for nearly 10,000 non-teaching university employees from an August 2008 snapshot. Confidential financial aid information for MBA students was accessible as well.

Stanford officials say last September, the folder’s permissions were changed, making the file “inadvertently” accessible on the business school’s shared drive. The file was accessible for six months before it was secured last March, reports Palo Alto Online.

Although the school says it has no “direct evidence” that the personally identifiable information was accessed, notification letters were sent to all potentially impacted employees and students. The school is also offering credit monitoring and fraud protection services.

School officials say they will put in place automated periodic permissions and file content scanning as well as regular manual reviews by content owners. Content owners will also be required to complete an awareness and training program.

Academic Information Exposed in Rutgers’ Data Breach

At Rutgers University, academic information for 1,700 students was exposed during a “data security” incident on November 8 and November 9, reports Tap into Plainfield.

University spokesman Neal Buccino says the affected students were in the Department of Computer Science and shared information included ID numbers, cumulative GPAs and class schedules. No Social Security numbers, addresses or financial information were leaked, according to Buccino.

The leak, blamed on an “administrative error”, was discovered when 18 students were able to access the data. The school notified the students who were able to view the information that the data was confidential.

The most recent exposure is minute in comparison to cyber attacks which have plagued Rutgers in recent years. In fall 2015, several Distributed-Denial-of-Service (DDoS) attacks crippled Rutgers’ network when a hacker refused to stop paralyzing the school’s network until they hired a DDoS protection service.

It was discovered in January 2017 that the perpetrator was Paras Jha, a Rutgers student, who had bragged about his responsibility to a co-worker.

Jha also attacked a French web-hosting company with one terabit of data per second, which is the record for the largest DDoS attack in history.

ADVERTISEMENT
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series