Univ. of Okla. Student Records Exposed in File Sharing Breach

Some of the shared student records included social security numbers and financial aid status.

Univ. of Okla. Student Records Exposed in File Sharing Breach

Registrar and Vice President Matt Hamilton said in a statement "At no point was the security of OU IT systems breached. Rather, some sensitive files were inadvertently made accessible to OU account holders due to a misunderstanding of privacy settings."

Over the course of a month, 29,000-plus University of Oklahoma student records were viewable to anyone with a university email account.

The university inadvertently exposed students’ records due to incorrectly managing privacy settings in a file-sharing system for employees, according to the school’s newspaper, OU Daily. The records dated back to 2002 and potentially earlier.

Microsoft Delve is the file-sharing program the university was using. It is a collaboration tool which allows its users to edit and share documents with colleagues. The breach occurred when the files were being moved over to cloud servers.

Matt Hamilton, Registrar and Vice President at the university, said in a statement “Delve allows users to search their SharePoint files using keywords, similar to a Google search. Any SharePoint site with the open privacy setting was searchable to any user within the OU system. This is how the Daily was able to access the sensitive data in question.”

The Daily claims that four of its writers, although Hamilton’s response says only one, caught wind of the data breach and were able to gain access to the personal files during its investigation.

Some other accessible information included GPAs, visa statuses for international students, and Pell Grant recipients.

The school says that although the student records were viewable to those with an OU email account, no one outside of the university had access to the information.

These types of data breaches are prohibited by the Family Educational Rights and Privacy Act (FERPA) put forth by the U.S. Department of Education.

LeRoy Rooker, who for over twenty years commanded the Family Policy Compliance Office which oversees FERPA, says that no university would purposely violate FERPA policies. Violating these policies could result in loss of federal funding. He continues to say that penalties can be avoided if the institution in question takes the necessary steps to fix the problem. Hamilton says that the “situation” was resolved and can assure its students that their files are secure and uncompromised.

“I know the people there, from (OU President) David Boren on down — Matt Hamilton, all of them — they’re very FERPA-conscious,” says Rooker. “Something slipped through the cracks. Somewhere, somebody didn’t know what they were doing or a vendor didn’t educate them.”

About the Author

Contact:

Amy is Campus Safety’s Senior Editor. Prior to joining the editorial team in 2017, she worked in both events and digital marketing.

Amy’s mother, brother, sister-in-law and a handful of cousins are teachers, motivating her to learn and share as much as she can about campus security. She has a minor in education and has worked with children in several capacities, further deepening her passion for keeping students safe.

In her free time, Amy enjoys exploring the outdoors with her husband, her son and her dog.

Read More Articles Like This… With A FREE Subscription

Campus Safety magazine is another great resource for public safety, security and emergency management professionals. It covers all aspects of campus safety, including access control, video surveillance, mass notification and security staff practices. Whether you work in K-12, higher ed, a hospital or corporation, Campus Safety magazine is here to help you do your job better!

Get your free subscription today!


Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters
Campus Safety Online SummitCampus Safety HQ