[BreachExchange] Personal information of students exposed in Stanford data breach

[Destry Winant]

https://www.securityinfowatch.com/cybersecurity/information-security/breach-detection/news/21068904/personal-information-of-students-exposed-in-stanford-data-breach

For the second time in 15 months, Stanford University has been hit by
an embarrassing data breach that exposed the personal information of
students, including home addresses, Social Security numbers and even
test scores and essays.

The Stanford Daily is reporting that Stanford students could view
applications and high-school transcripts of other students “if they
first requested to view their own admission documents under the Family
Educational Rights and Privacy Act (FERPA).” Documents that were
compromised by the hackers including extremely sensitive personal
information like Social Security numbers for some students, as well as
“students’ ethnicity, legacy status, home address, citizenship status,
criminal status, standardized test scores, personal essays and whether
they applied for financial aid. Official standardized test score
reports were also accessible,” the paper reported, which explained
that while students’ documents could not be search by name, the were
“accessible by changing a numeric ID in a URL.”

“We regret this vulnerability in our system and apologize to those
whose records were inappropriately viewed,” the school said in a
statement released on Friday. “We have worked to remedy the situation
as quickly as possible and will continue working to better protect our
systems and data. Finding and fixing vulnerabilities before
adversaries discover and exploit them is an ongoing and essential
activity in systems management.”

The breach comes 14 months after Stanford announced that a previously
revealed hack of confidential information on a computer server at its
Graduate School of Business was wider than had been reported earlier,
according to Poets & Quants, a prominent online news site that covers
the graduate-business school community.

In that hack, the site reported, ” campus privacy investigators found
that a shared platform at the GSB potentially exposed the personal
information of” thousands of people at the university.” Like the
recent hack, the 2017 breach compromised the personal date of
students, including the “names, birthdates, Social Security numbers
and salary information for nearly 10,000 non-teaching university
employees – a snapshot taken in August 2008,” said the report. “The
file apparently was made accessible to human resources staff at the
business school for annual salary setting. The file was exposed to the
GSB community for six months before it was locked and secured” in the
spring of 2017.

The 2017 attack ended up costing Stanford’s chief digital officer his
job. Ranga Jayaraman announced that he was leaving “after a student
revealed that the school had not been forthcoming with its fellowship
grants,” this newspaper reported at the time.In a statement, Jayaraman
said “I take full responsibility for the failure to recognize the
scope and nature of the … data exposure and report it in a timely
manner to the dean and the University Information Security and Privacy
Office. I would like to express my most sincere apologies … to anyone
whose personal information might potentially have been compromised.”

Here are some things to know about the most recent hack at Stanford:

How the hack was discovered

According to the Stanford Daily, a student who had submitted a FERPA
request in order to review the student’s own admissions documents
discovered “the vulnerability in a third-party content management
system called NolijWeb that the University has used since 2009 to host
scanned files.” Anyone willing to submit such a request, going back to
2015, would have been able to examine the files through NolijWeb.” The
Daily reported that this student, between Jan. 28 and 29, was able to
access the records of 81 students.

Who else saw the files

Other students who were told about the easy-to-access records were
able to review personal information in 12 students’ records “during
that time period while seeking to learn more about the kinds of files
exposed.”

The university responds

Here’s the full statement released Friday by the school:

“NolijWeb is an enterprise content management repository that houses
documents and images in support of admissions and other university
administrative processes at Stanford. The product was deployed at
Stanford in 2009. The NolijWeb product line was acquired by Hyland
Software in 2017, and the company has since announced the
discontinuation of the product. University IT at Stanford is currently
implementing a new replacement platform, and this project will be
completed by the summer.

“On Tuesday, February 5, University IT learned from the Stanford Daily
that a Stanford student had identified a vulnerability on our NolijWeb
platform. UIT confirmed the issue and reported the concern to the
vendor. Hyland subsequently acknowledged the problem where, under very
specific circumstances, an authenticated student account could be used
to access another student’s documents – specifically, Common App
applications and high school transcripts submitted to Stanford as part
of the undergraduate admission process. This vulnerability was
specific to a student-facing interface that students used to retrieve
their own documents using the NolijWeb platform.

“The NolijWeb system and the broader IT infrastructure provide
multiple levels of audit logging. Analysis of these logs is ongoing
and is allowing us to identify unauthorized access. At this point, we
have confirmed that the records of 93 students were accessed in the
period of January 28-29 and afterward, 81 of them by one student, and
the rest by other students. Thus far, we have not identified any other
instances of unauthorized viewing, though our review is continuing.
The privacy of records is deeply important to Stanford, and we will be
notifying individuals whose records were viewed.

“University IT has since disabled the vulnerable component of the
system that was the source of the problem. As a result, the electronic
delivery of applications and high school transcripts to students who
request them has been suspended, though students may still make
requests for these documents to the Registrar’s Office. University IT
is researching options for restoring the online access.”

The Daily holds back

The newspaper also reported that it had held back on reporting about
the exposed data until school officials “could secure the breach so
that students’ records could be protected. The student who disclosed
the breach to The Daily was granted anonymity to protect them from
potential legal repercussions for accessing private information while
investigating the security flaw,” said the paper.

The third-party content-management company is put on notice

The report says that Stanford notified Nolij’s parent company Hyland
Software of the breach. Hyland, which has bought Nolij in 2017, had
announced in late December that was discontinuing the NolijWeb
product.

Stanford’s IT experts try to clean up the mess

The Stanford University Information Technology (UIT) said it intended
to implement “a new platform to replace the NolijWeb system by this
summer,” said the Daily, adding that ” a number of schools still use
NolijWeb to store admissions records. It is unclear how many schools
using NolijWeb give students access to the online documents, or how
many might be subject to the vulnerability.”

The company’s response?

The Daily said its reporters had “reached out to eight different
executives at Hyland Software for comment and expressed concern that
other schools’ data may be similarly compromised by NolijWeb. Alexa
Marinos, Hyland’s Senior Manager of Corporate Communications,
confirmed receiving The Daily’s phone and email requests for comment,
made over the course of a week. However, the company provided no
statement on the matter.”

Stanford students weigh in

Jonathan Lipman, sophomore, told this newspaper: “I’m glad the student
who first discovered the breach acted morally and worked

to have the breach closed before malicious actors scraped all
undergraduate students’ admissions data. It’s a bit embarrassing that
Stanford is using software that is no longer supported (NolijWeb was
discontinued on December 31, 2018 according to its website). I think
this demonstrates the importance of programs like the Bug Bounty.
While I understand that UIT is concerned mostly with external security
threats, I was both shocked and concerned that Stanford does not
conduct security audits from multiple trust levels (student, staff,
alumni, etc…). Some of the best hackers in the country have Stanford
logins and it would seem prudent to conduct penetration tests
accordingly.

“I can’t say I’m particularly shocked — Stanford has a sprawling IT
infrastructure with many external vendors and legacy internal systems.
It’s a difficult task to constantly maintain high levels of defense on
all of these systems..”

Sophomore Ben Esposito said: “Stanford keeps running into trouble over
data breaches precisely because it holds an unnecessary large amount
of data on its students. If it held only the most essential data, they
would be better able to prioritize which data to keep especially
secure.”

David Jaffe, also a sophomore, said: “Stanford should look into
investing in the incredible abilities of it’s students by offering
more opportunities for students to support the university’s IT
infrastructure. I know many great students with underutilized
technical skills that, from what I’ve noticed, have been more than
happy to assist others for free just for the experience.”

Anna Sofia Lesiv contributed reporting to this story.