[BreachExchange] GSB server exposed social security numbers, salaries of 10, 000 Stanford staff

[Destry Winant]

https://www.stanforddaily.com/2017/12/01/server-exposed-social-security-numbers-salaries-of-10000-gsb-staff/

Incorrect permissions settings on a Graduate School of Business (GSB)
server exposed the names, birthdays, salaries and social security
numbers of 10,000 staff employed University-wide in 2008 for six
months last year, Stanford reported Friday.

While the University does not have evidence that the personal
information leaked was accessed, it began notifying those affected
Friday. The Information Security office has also hired a data
forensics team to investigate across the University for privacy
breaches and is asking all groups on campus to “urgently” review
permissions on their files.

Revelations of the breach follow news broken yesterday by Poets and
Quants that an MBA student found, de-anonymized and analyzed
confidential data on financial aid spanning 2008 to 2015; any member
of the GSB community could access information that included students’
income, assets and prior employment. The student discoveredthat the
GSB does not award fellowship money solely on need, as it previously
claimed, instead offering additional funds to some candidates.
According to the student’s analysis, the GSB’s aid favored women and
showed bias against international students.

Recent University privacy breaches extend beyond the GSB. Last month,
The Daily also discovered permissions errors in a University-wide
file-sharing system called AFS that let anyone from the Stanford
community – as well as people from other schools that use the same
platform – access information on sexual assault cases prepared from
campus therapy sessions and emails about student conduct issues, among
other confidential information.

“We extend the deepest apology to the employees and former Stanford
students who expected that their personal information would be treated
with the greatest care by campus offices,” Randy Livingston, vice
president for business affairs, told Stanford News Friday. “This is
absolutely unacceptable. Our community expects that we will keep their
personal information confidential and secure, and we have failed to do
so.”

Stanford will offer credit monitoring and fraud protection to those
involved in the GSB leaks and has established a call center to answer
questions that can be reached at (888) 684-4998.

According to Stanford News, the University only discovered the leaks
involving thousands of non-teaching employees on Nov. 27. The data,
used for setting salaries, was open to members of the GSB.

Investigations into a breach involving the GSB began back in February,
however, when the MBA student brought his financial aid findings to
Jack Edwards, director of financial aid for the GSB, according to
Poets and Quants’ article. The GSB IT team secured the data he had
accessed within an hour. But IT did not recognize how far the leaks
extended and did not pass the breach of privacy on to other offices or
the GSB Dean for further investigation, according to Stanford News.

The University said the personally identifying information on
employees was inadvertently made public in September of 2016 and was
locked by early March along with other improperly shared GSB files.

Ranga Jayaraman, associate dean and chief digital officer for the GSB,
announced in an email Friday to the GSB’s faculty, student and staff
lists that he is leaving his job.

“I take full responsibility for the failure to recognize the scope and
nature of the J Drive data exposure and report it in a timely manner
to the Dean and the University Information Security and Privacy
Offices,” he wrote. “I am fully accountable for this inexcusable error
in judgement.”

Jayaraman, a tech veteran who was previously Chief Information Officer
at Nvidia, said in a phone call to The Daily that, earlier this year,
his team was “so focused” on fixing permissions on the folder
containing the financial aid files that they didn’t search the folder
to determine what else was exposed. Explaining why the IT team simply
moved on, he said  file permissions are a “regular problem in the
world of IT,” though he could not remember dealing with other
permissions errors during his tenure at Stanford.

He told The Daily that while he did not resign, he understands that
leaders of technology organizations have to answer for mistakes.

“Things like this can happen and do happen, and there are times that
we have to… take accountability,” he said. “So I signed up for this.”

GSB dean Jonathan Levin addressed the leak of financial aid data in a
Nov. 17 email to GSB students, faculty and staff, stating that the aid
information was improperly accessible starting in June of 2016. He
said he personally learned of the issue only in late October upon
receiving the MBA’s students report and that the GSB then launched an
investigation.

In response to the data breach episodes across multiple file-sharing
platforms, Stanford’s Information Security office and IT staff are
“working… to develop a comprehensive plan for addressing this problem
broadly and sustainably,” the Stanford News article stated. The
University plans to conduct audits of file permissions both
automatically and manually, as well as work to raise awareness about
potential data leak issues.

However, Michael Duff, assistant vice president and chief information
security officer, cautioned last month in response to the AFS leak
that the scale of the University’s various file systems mean that
permissions errors are not “something there’s a 100 percent solution
for.”

“The challenge is how to achieve a zero error rate in the permissions
across the hundreds of millions of files [and] folders stored at
Stanford,” Duff said.