[BreachExchange] OU shuts down file sharing service after failing to protect thousands of students' records

Destry Winant destry at riskbasedsecurity.com
Thu Jun 15 01:22:16 EDT 2017


http://www.oudaily.com/news/ou-shuts-down-file-sharing-service-after-failing-to-protect/article_4f9a5e2c-50a2-11e7-a807-2f591e6c54f0.html

OU unintentionally exposed thousands of students’ educational records
— including social security numbers, financial aid information and
grades in records dating to at least 2002 — through lax privacy
settings in a campus file-sharing network, violating federal law.

The university scrambled to safeguard the files late Tuesday after
learning The Daily had discovered the breach last week. The Daily
spoke to vice president for admissions and records Matt Hamilton
Tuesday afternoon, when he said OU IT was aware of the breach and was
working to secure the files. (Update: On Wednesday afternoon, Hamilton
sent The Daily a response letter regarding the breach.)

OU press secretary Matt Epting provided the following statement late
Tuesday night: “The IT Security team has found no evidence to confirm
that there has been a breach by an outside party, and is investigating
the scenario that enabled an individual to access the files the
individual has claimed to download.”

At no point did The Daily suggest there had been an outside breach,
but rather that lax security measures allowed email users more access
to educational records than should have been allowed.

In just 30 of the hundreds of documents made publicly discoverable on
Microsoft Office Delve, there were more than 29,000 instances in which
students’ private information was made public to users within OU’s
email system. Each instance could constitute a violation of the Family
Educational Rights and Privacy Act, which gives students control over
who can access their educational records.

“This isn't even gray. It's very clear in FERPA — you've got to have
signed consent to do this or meet one of the exceptions to signed
consent,” said FERPA expert LeRoy Rooker when briefed on the scope of
the OU breach. “This doesn't fit either of these.”

Rooker headed the Family Policy Compliance Office in the U.S.
Department of Education, the office that administers FERPA, for more
than two decades. He said he was certain the files were disclosed
unintentionally: no one sets out to violate FERPA. Schools violating
the law can have their federal funding pulled, though they’re always
given a chance to remedy the situation and avoid the penalty.

“I know the people there, from (OU President) David Boren on down —
Matt Hamilton, all of them — they're very FERPA-conscious,” Rooker
said. “Something slipped through the cracks. Somewhere, somebody
didn't know what they were doing or a vendor didn't educate them.”

The files became accessible to OU account holders on May 14, Hamilton
said in an email Wednesday, when OU migrated SharePoint to cloud
servers. He said the university is aware of which exact file
directories were accessible, though because of the number and nature
of the records, he said he couldn't provide a count of the number of
student records in the directories.

What types of documents were disclosed?

The files disclosed in Delve ranged from harmless to potentially
illegal, and they were all hiding in plain sight for anyone with an
ou.edu email to stumble upon. One click from OU’s webmail page takes
you to Delve, where a search bar was the only obstacle in between you
and lots of information you shouldn’t have been able to see.

For example, four spreadsheets included financial information for
students in the freshman classes of 2012-13, 2013-14, 2014-15 and
2015-16. The documents included students’ names and OU ID numbers,
along with the amounts of money they received in scholarships, grants,
loans or waivers.

Another series of spreadsheets listed students who had received grades
of incomplete during the fall 2014, spring 2015, summer 2015, fall
2015, summer 2016 and fall 2016 semesters.

One document listed the names and social security numbers of 30
students, including the names of athletes now playing professionally.
It’s not clear why the document existed or how the students were
related.

Two others listed the visa statuses of more than 500 international students.

Several documents included information about current OU athletes’
scholarships and their eligibility statuses, including one that listed
which students cannot practice this summer due to failed drug tests,
recruiting violations or academic misconduct.

On the more harmless side: a student’s resume, saved in her OneDrive
account, a one-sheet summarizing FERPA law and a slideshow on
“Computer Security.”

When The Daily discovered the breach, reporters and editors searched
for documents only to determine the scope of the breach: how far back
documents dated, how many students’ information was at risk and the
circumstances under which these documents seemed to be shared. The
Daily will not pursue stories based on any individual documents found.
The documents were not shared with other Daily staff members, and they
were deleted before publication of the story.

What is Delve?

Delve is a Microsoft Office service that aims to learn about you and
the people you work with to show you documents you’re working on,
documents that others are working on and popular documents within your
network. It aims to be intelligent, showing you information it thinks
you’d be interested in. Within OU’s Office 365 system, anyone with an
OU email uses Delve, whether they know it or not.

It displays files and information stored in other Microsoft Office
services like OneDrive and SharePoint. Microsoft’s website reassures
users about Delve’s security: “Yes, your documents are safe. Delve
never changes any permissions. Only you can see your private documents
in Delve.”

Privacy settings that allow files to show up in Delve are adjusted
where the files are stored (like OneDrive, for example). Delve,
however, can’t keep even the most sensitive files private if the
person storing the document doesn’t set up the privacy settings
properly.

At OU, Delve is accessible through the Office 365 system, so it works
within the ou.edu email system. As of late Tuesday, Delve no longer
shows any files at all. During the breach, a user could navigate to
different users’ profiles or perform a search to find files, then
click to see the file in a browser viewer with the option to download
it.

A Microsoft representative said via email Wednesday that the company
couldn't provide an interview on this topic, and directed The Daily to
OU IT for more information.

What happens next?

For students whose information was improperly disclosed during the
breach, there’s little recourse. FERPA does not give a student private
right of action, FERPA expert and general counsel at Rhode Island
School of Design Steven McDonald said. That means a student couldn’t
sue OU for disclosing his or her records, he said.

Students can file a complaint about the way an institution is
following FERPA with the Family Policy Compliance Office. The office
investigates complaints, and if a violation were found, the office
would tell the university what it needed to fix to be compliant with
the law. If a university doesn’t comply, it could lose its federal
funding.

To avoid data breaches, policy counsel for education privacy at the
Future of Privacy Forum and FERPA expert Amelia Vance suggests schools
regularly audit themselves. She said the majority of data breaches —
like OU’s — happen due to human error.

“There's a lot of best practices. One that may have been useful here
when it had been implemented is making sure there are periodic audits
of how information is kept,” Vance said. “You go through the system
and make sure this type of disclosure doesn’t happen.”

Vance said there’s more confusion in K-12 and higher education about
how to ensure data is kept secure as technology changes and advances,
but data breaches aren’t unique to the digital age.

“It's not entirely new. It's fairly new,” Vance said. “Breaches of
student information were happening even when we had paper records.”

Hamilton said in an email Wednesday that OU would continue to work
with IT to ensure its users are aware of how to securely share files.


More information about the BreachExchange mailing list