Univ. of Okla. Student Records Exposed in File Sharing Breach
Some of the shared student records included social security numbers and financial aid status.
Registrar and Vice President Matt Hamilton said in a statement "At no point was the security of OU IT systems breached. Rather, some sensitive files were inadvertently made accessible to OU account holders due to a misunderstanding of privacy settings."
Over the course of a month, 29,000-plus University of Oklahoma student records were viewable to anyone with a university email account.
The university inadvertently exposed students’ records due to incorrectly managing privacy settings in a file-sharing system for employees, according to the school’s newspaper, OU Daily. The records dated back to 2002 and potentially earlier.
Microsoft Delve is the file-sharing program the university was using. It is a collaboration tool which allows its users to edit and share documents with colleagues. The breach occurred when the files were being moved over to cloud servers.
Matt Hamilton, Registrar and Vice President at the university, said in a statement “Delve allows users to search their SharePoint files using keywords, similar to a Google search. Any SharePoint site with the open privacy setting was searchable to any user within the OU system. This is how the Daily was able to access the sensitive data in question.”
The Daily claims that four of its writers, although Hamilton’s response says only one, caught wind of the data breach and were able to gain access to the personal files during its investigation.
Some other accessible information included GPAs, visa statuses for international students, and Pell Grant recipients.
The school says that although the student records were viewable to those with an OU email account, no one outside of the university had access to the information.
These types of data breaches are prohibited by the Family Educational Rights and Privacy Act (FERPA) put forth by the U.S. Department of Education.
LeRoy Rooker, who for over twenty years commanded the Family Policy Compliance Office which oversees FERPA, says that no university would purposely violate FERPA policies. Violating these policies could result in loss of federal funding. He continues to say that penalties can be avoided if the institution in question takes the necessary steps to fix the problem. Hamilton says that the “situation” was resolved and can assure its students that their files are secure and uncompromised.
“I know the people there, from (OU President) David Boren on down — Matt Hamilton, all of them — they’re very FERPA-conscious,” says Rooker. “Something slipped through the cracks. Somewhere, somebody didn’t know what they were doing or a vendor didn’t educate them.”
If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
About the Author
Amy Rock, Executive Editor
Amy is Campus Safety’s Executive Editor. Prior to joining the editorial team in 2017, she worked in both events and digital marketing.
Amy has many close relatives and friends who are teachers, motivating her to learn and share as much as she can about campus security. She has a minor in education and has worked with children in several capacities, further deepening her passion for keeping students safe.
Related Content
Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century
This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!
