BreachExchange mailing list archives
Exposed student data leaves prying eyes wide open
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Thu, 9 Sep 2010 01:32:26 -0400
http://citycollegenews.com/2010/09/07/exposed-student-data-leaves-prying-eyes-wide-open/ An online MCTC directory left sensitive student data and internal documents accessible to the prying eyes of anyone with an Internet connection since at least the summer of 2006, according to an investigation by City College News. Besides annual accounts-receivable reports and salary rosters, a database spanning the last several years of work-study records contained the names of students, their student ID numbers, the amount which they were awarded and the amount which they had earned, sorted by department. However, college officials claimed that only names of department heads, student ID numbers and work-study awards appeared in the database. This contradicts what City College News found, but the college said that it would investigate further for other data. The college did not keep records of who accessed the data, according to Jim Dillemuth, chief information officer of MCTC, who suggested that there is no reason to suspect that the data came under inappropriate use. The disclosure of student data may violate the federal Family Education Records and Privacy Act (FERPA) as well as the Minnesota Government Data Practices Act (MGPDA), both of which govern how public entities handle data and how they are to protect the educational records of students. Administration unaware The directory, which officials confirmed in an interview belonged to Dee Bernard, director of finance, shared a server with websites maintained by instructors and administrative staff, but it vanished from public view early last month as part of a planned technical change. Asked whether anyone had been aware of the vulnerability prior to City College News’ investigation, Dianna Cusick, director of legal affairs, said, “No, I wasn’t aware of it. [Dillemuth] wasn’t aware of it.” “There was definitely a decision made over the past couple of years on the budget-setting process that was in place through Finance to try to be transparent about the budget process, about the budget information and to put out information that was easily accessible to our community,” Cusick said. “So that’s what I think we were trying to do.” She continued, “We weren’t aware of all of the reports that were being put out there.” The college made a strategic decision to make budget information available to all who wanted to see it, she said, though it is not clear whether the college intended to make such a broad range of information available. [..] _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php
Current thread:
- Exposed student data leaves prying eyes wide open Jake Kouns (Sep 10)