The University of Stanford announced that it has left sensitive student and staff data exposed on three separate occasions over the last year.
A misconfigured Stanford Graduate School of Business (GSB) server exposed the data of 10,000 non-teaching staff employed throughout the university exposing names, birthdays, salaries and Social Security numbers.
The mishap exposed data spanning between 2008 and 2015 to the business school's community for about six months before being locked and secured March 3, 2017 after they were spotted by campus privacy investigators, according to Poets & Quants who first reported on the incident Dec. 1.
The university told the publication the files were accidently made available on a shared server starting in June 2016 and that other files on the same server were accessible starting September 2016. The business school's IT team was made aware of the breach in February 2017 but reportedly failed to report the problem to the Stanford GSB Dean Jon Levin.
“At that time, the GSB IT team recognized there was a permission problem and promptly secured all of the files on the drive,” university spokesperson Lisa Lapin said in a statement. “But they failed to understand the scope of the exposure and did not report it to the GSB dean or relevant university offices for further investigation.”
Separately The Stanford Daily found another university file sharing platform, AFS (Andrew File Sharing) exposed information from several campus offices including Clery Act reports of sexual violence and confidential student disciplinary information from six to 10 years ago. The exposure was spotted on Nov. 9 and most of the files were from between 2005 and 2012 and were managed by six different campus offices.
Earlier this year, the GSB reported a data exposure that revealed confidential financial aid files on a shared server maintained by the GSB that were accidentally made available to the GSB community starting in June 2016 while other files on the same server were accessible starting in September 2016. All files were also secured by March.
The Information Security office has contacted file-sharing owners throughout the university to request that campus units urgently review all file-sharing permissions and those whose personal information was exposed are being notified and offered Credit monitoring and fraud protection services.
Despite the university's actions privacy advocates are criticizing the three misconfigurations spotted within a relatively short amount to time.
Infinite Global President Zach Olsen said these events happen every day at institutions and organizations around the world and the only way to reduce the chance of repeating these organizations shortcomings is to take steps to prevent unforced errors like the one at Stanford. He said the school needs to start thinking about regaining the trust lost in these incidents.
“How will very obvious lapses in security be prevented in the future and in addition to that, what systems will the university employ to fend off malicious attacks as well?, Olsen said. “There must be a conversation, started and led by the university, about how to recover from this.”
He added that the biggest challenge from a communications perspective is helping students and faculty understand why the university didn't protect the information that is entrusted and regaining their trust.
Olsen said it's necessary to train all staff, not just not just those in the IT departments, on best practices and ensure they understand that human error, not teams of malicious Eastern European hackers, is to blame for the majority of breaches.
