Misconfigured permissions on file-sharing platforms may have exposed personal information for some students and thousands of campus employees on two different file-sharing platforms, campus privacy investigators have learned.
One shared platform at the Graduate School of Business potentially exposed the personal information of nearly 10,000 non-teaching staff who were employed throughout the university in August 2008, as well as confidential financial aid information for MBA students. Another platform, AFS, widely used throughout the university, exposed a variety of information from several campus offices, including Clery Act reports of sexual violence and some confidential student disciplinary information from six to 10 years ago.
Stanford’s Information Security and University Privacy offices have been investigating both situations and continue to review file-sharing platforms campus-wide to assure appropriate access permissions are in place.
The university does not have any direct evidence that personally identifiable information was accessed from the GSB file. But as a precaution, beginning today, notification letters are being sent to all impacted employees and students who may have had personally identifiable information exposed. Credit monitoring and fraud protection services are being offered and a call center has been established to take questions. The center can be reached at (888) 684-4998.
“We extend the deepest apology to the employees and former Stanford students who expected that their personal information would be treated with the greatest care by campus offices,” said Randy Livingston, vice president for business affairs, whose department includes oversight of University Information Technology and the Information Security and University Privacy offices. “This is absolutely unacceptable. Our community expects that we will keep their personal information confidential and secure, and we have failed to do so. The proliferation of file-sharing platforms requires that everyone be vigilant in assuring that confidential information remains secure, old files are deleted and permissions are regularly reviewed.”
One data exposure was discovered by a student staff member of the Stanford Daily, which on Nov. 9 reported to campus privacy authorities that some campus data on the widely used AFS (Andrew File Sharing) platform was accessible to any AFS user, at Stanford or on other campuses. The Daily discovered publicly accessible files containing de-identified sexual assault reports being gathered under the Clery Act, as well as some emails to the then-Student Judicial Affairs office about student disciplinary cases. The files also contained some comparative data of statistics from other university campuses. Most of the files were from 2005 to 2012 and were managed by six different campus offices.
The Stanford Daily reported its findings in a story that maintained confidentiality of the personally identifiable information.
“We greatly appreciate the Stanford Daily’s responsible handling of the confidential information and for their prompt reporting to the university,” said Wendi Wright, Stanford’s chief privacy officer. “We were able to secure confidential AFS files within two hours of learning of the exposure, and promptly launched an intensive investigation. In addition, we have urgently reached out to all managers of shared file servers to review access permissions and to delete old files.”
Another data exposure was reported to the University Privacy Office by the GSB on October 27, also launching an investigation. Some confidential financial aid files on a shared server maintained by the GSB were accidentally made available to the GSB community starting in June 2016. Other files on the same server were accessible starting in September 2016. All files were secured by early March.
The GSB IT team became aware of the potential breach in February 2017, after learning that a GSB student had accessed confidential information on financial aid. At that time, the GSB IT team recognized there was a permission problem and promptly secured all of the files on the drive. But they failed to understand the scope of the exposure and did not report it to the GSB dean or relevant university offices for further investigation.
The University Privacy Office and the GSB IT team investigating that exposure discovered a file on Nov. 21 containing names, birthdates, Social Security numbers and salary information for nearly 10,000 non-teaching university employees – a snapshot taken in August 2008 – was exposed on the GSB server. That file, originated by University Human Resources and made accessible to GSB HR, had been used for annual salary setting. In September 2016 the folder’s permissions were changed, making the file inadvertently accessible on the GSB shared drive. The file was exposed to the GSB community for six months before it was locked and secured last March 3.
The MBA student who first identified the GSB file exposure has subsequently used the anonymized financial aid information to conduct an in-depth analysis of financial aid distribution within the GSB. The student’s analysis showed varying amounts of financial aid distribution, with more funds going to women students in some situations.
“There is no excuse for this compromise of privacy and security, and I intend to do everything possible to ensure that it does not happen in the future,” GSB Dean Jonathan Levin wrote to the school community on Nov. 17.
Addressing the GSB’s historical financial aid process, which has resulted in varying awards to students who demonstrate similar financial need, Levin wrote that the student’s analysis raised issues to be addressed. In particular, he said, “a preferable approach, going forward, is to be significantly more transparent about the principles and objectives being applied in making financial aid awards, and about how different awards are made.”
The Information Security and University Privacy offices are using data forensics software to comb through all university file-sharing platforms to identify any additional personal or confidential information that may be exposed.
Stanford uses multiple online file sharing platforms, including AFS, NFS, Windows/CIFS, Box, OneDrive and Google Drive. Each of these platforms features permissions to control who has access, and thousands of employees and students manage files on these platforms.
“While we strive for a zero-error rate in permissions across the millions of files and folders stored and shared at Stanford, in this case we fell short of our goal,” said Michael Duff, the university’s chief information security officer. “The university’s decentralized structure requires every file owner to take responsibility for securing information and assuring that access permissions are periodically reviewed and appropriate.”
The Information Security office is working closely with IT leadership throughout campus to develop a comprehensive plan for addressing this problem broadly and sustainably across all file-sharing platforms in use at the university. The approach will include a combination of automated periodic permissions and file content scanning, regular manual reviews by content owners and an awareness and training program – all in furtherance of the university’s Minimum Security Standards.
In the meantime, the Information Security office has contacted file-sharing owners throughout the university to request that campus units urgently review all file-sharing permissions. The university also contacted search engines, including Google, to assure there is no exposure through cached web information.