Stanford, Rutgers Data Breaches Expose Employee and Student Info

Social Security numbers and salary information for nearly 10,000 Stanford employees were accessible for six months due to a misconfiguration of permissions.

Stanford, Rutgers Data Breaches Expose Employee and Student Info

Academic information for 1,700 Rutgers students was also exposed.

Data breaches have been discovered at both Stanford University and Rutgers University, exposing personal records of thousands of faculty members and students.

At Stanford, a misconfiguration of permissions on file-sharing platforms is to blame for several data breaches.

A student staff member of the Stanford Daily discovered a data breach and reported it to campus privacy authorities on November 9. The student was able to access unidentified sexual assault reports which were being collected under the Clery Act from 2005 to 2012.

The data was stored on the Andrew Filed Sharing platform and was accessible to any AFS user, including those outside of Stanford, according to Stanford News.

“We greatly appreciate the Stanford Daily’s responsible handling of the confidential information and for their prompt reporting to the university,” says Wendi Wright, Stanford’s chief privacy officer. “We were able to secure confidential AFS files within two hours of learning of the exposure and promptly launched an intensive investigation. In addition, we have urgently reached out to all managers of shared file servers to review access permissions and to delete old files.”

While the University Privacy Office and the Graduate School of Business IT teams investigated the November 9 exposure, they discovered a file on November 21 which contained names, birthdates, Social Security numbers and salary information for nearly 10,000 non-teaching university employees from an August 2008 snapshot. Confidential financial aid information for MBA students was accessible as well.

Stanford officials say last September, the folder’s permissions were changed, making the file “inadvertently” accessible on the business school’s shared drive. The file was accessible for six months before it was secured last March, reports Palo Alto Online.

Although the school says it has no “direct evidence” that the personally identifiable information was accessed, notification letters were sent to all potentially impacted employees and students. The school is also offering credit monitoring and fraud protection services.

School officials say they will put in place automated periodic permissions and file content scanning as well as regular manual reviews by content owners. Content owners will also be required to complete an awareness and training program.

Academic Information Exposed in Rutgers’ Data Breach

At Rutgers University, academic information for 1,700 students was exposed during a “data security” incident on November 8 and November 9, reports Tap into Plainfield.

University spokesman Neal Buccino says the affected students were in the Department of Computer Science and shared information included ID numbers, cumulative GPAs and class schedules. No Social Security numbers, addresses or financial information were leaked, according to Buccino.

The leak, blamed on an “administrative error”, was discovered when 18 students were able to access the data. The school notified the students who were able to view the information that the data was confidential.

The most recent exposure is minute in comparison to cyber attacks which have plagued Rutgers in recent years. In fall 2015, several Distributed-Denial-of-Service (DDoS) attacks crippled Rutgers’ network when a hacker refused to stop paralyzing the school’s network until they hired a DDoS protection service.

It was discovered in January 2017 that the perpetrator was Paras Jha, a Rutgers student, who had bragged about his responsibility to a co-worker.

Jha also attacked a French web-hosting company with one terabit of data per second, which is the record for the largest DDoS attack in history.

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

About the Author

amy rock headshot

Amy is Campus Safety’s Executive Editor. Prior to joining the editorial team in 2017, she worked in both events and digital marketing.

Amy has many close relatives and friends who are teachers, motivating her to learn and share as much as she can about campus security. She has a minor in education and has worked with children in several capacities, further deepening her passion for keeping students safe.

Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century

This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters
Campus Safety Conference promo