Over the course of a month, 29,000-plus University of Oklahoma student records were viewable to anyone with a university email account.
The university inadvertently exposed students’ records due to incorrectly managing privacy settings in a file-sharing system for employees, according to the school’s newspaper, OU Daily. The records dated back to 2002 and potentially earlier.
Microsoft Delve is the file-sharing program the university was using. It is a collaboration tool which allows its users to edit and share documents with colleagues. The breach occurred when the files were being moved over to cloud servers.
Matt Hamilton, Registrar and Vice President at the university, said in a statement “Delve allows users to search their SharePoint files using keywords, similar to a Google search. Any SharePoint site with the open privacy setting was searchable to any user within the OU system. This is how the Daily was able to access the sensitive data in question.”
The Daily claims that four of its writers, although Hamilton’s response says only one, caught wind of the data breach and were able to gain access to the personal files during its investigation.
Some other accessible information included GPAs, visa statuses for international students, and Pell Grant recipients.
The school says that although the student records were viewable to those with an OU email account, no one outside of the university had access to the information.
These types of data breaches are prohibited by the Family Educational Rights and Privacy Act (FERPA) put forth by the U.S. Department of Education.
LeRoy Rooker, who for over twenty years commanded the Family Policy Compliance Office which oversees FERPA, says that no university would purposely violate FERPA policies. Violating these policies could result in loss of federal funding. He continues to say that penalties can be avoided if the institution in question takes the necessary steps to fix the problem. Hamilton says that the “situation” was resolved and can assure its students that their files are secure and uncompromised.
“I know the people there, from (OU President) David Boren on down — Matt Hamilton, all of them — they’re very FERPA-conscious,” says Rooker. “Something slipped through the cracks. Somewhere, somebody didn’t know what they were doing or a vendor didn’t educate them.”