[BreachExchange] TUPD security breach publicized crime victim identities

[Terrell Byrd]

https://tulanehullabaloo.com/58405/news/tupd-breach-publicized-crime-victim-identities/

For victims of crimes and those receiving medical care, the protection of
one’s identity, privacy and dignity is critical.

As of Dec. 2, anyone with a Tulane University email address could access
the Tulane University Police Department’s unredacted Daily Activity
Reports. The public DARS openly shared the names of victims, witnesses,
reporting persons, those seeking medical attention and suspects who
interacted with TUPD.

The files were publicly accessible for nearly two years. TUPD was only made
aware of their visibility yesterday evening and secured the documents on
Dec. 3.

This security breach publicized more than 60 private documents dating back
to the fall of 2020. The most recent of these private files was shared on
Nov. 20.

Uncensored details of sex crimes, hate crimes, attempted suicides, medical
emergencies and other crimes involving Tulane affiliates and non-affiliates
were available for viewing. Splash Card numbers, birthdates, phone numbers
and addresses were also visible to those with access.

The Clery Act, a federal law regarding campus safety, offers special rights
to victims of dating violence, domestic violence, sexual assault and
stalking. The Clery Act requires that Tulane protect the confidentiality of
these victims in public records, including crime logs, and maintain the
confidentiality of any accommodations or protective measures provided to
them. This information was not protected within the public documents.

Some of the public documents also included the personal information of
patients receiving medical care at the Tulane University Medical Center.

The documents were sent daily by TUPD leadership to a distribution list of
48 people, including administrators, University President Mike Fitts and
five TUPD employees. Despite saying “for internal use only,” the files were
visible, sharable and downloadable via Microsoft SharePoint and they were
neither encrypted nor password protected.

According to sources in the adminstration, officials are working with
Tulane’s general counsel and TUPD to determine how the breach occurred and
how to prevent future cyber security compromises.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211206/bb84d4c8/attachment.html>