BreachExchange mailing list archives
Personal information of students exposed in Stanford data breach
From: Destry Winant <destry () riskbasedsecurity com>
Date: Tue, 19 Feb 2019 00:56:43 -0600
https://www.securityinfowatch.com/cybersecurity/information-security/breach-detection/news/21068904/personal-information-of-students-exposed-in-stanford-data-breach For the second time in 15 months, Stanford University has been hit by an embarrassing data breach that exposed the personal information of students, including home addresses, Social Security numbers and even test scores and essays. The Stanford Daily is reporting that Stanford students could view applications and high-school transcripts of other students “if they first requested to view their own admission documents under the Family Educational Rights and Privacy Act (FERPA).” Documents that were compromised by the hackers including extremely sensitive personal information like Social Security numbers for some students, as well as “students’ ethnicity, legacy status, home address, citizenship status, criminal status, standardized test scores, personal essays and whether they applied for financial aid. Official standardized test score reports were also accessible,” the paper reported, which explained that while students’ documents could not be search by name, the were “accessible by changing a numeric ID in a URL.” “We regret this vulnerability in our system and apologize to those whose records were inappropriately viewed,” the school said in a statement released on Friday. “We have worked to remedy the situation as quickly as possible and will continue working to better protect our systems and data. Finding and fixing vulnerabilities before adversaries discover and exploit them is an ongoing and essential activity in systems management.” The breach comes 14 months after Stanford announced that a previously revealed hack of confidential information on a computer server at its Graduate School of Business was wider than had been reported earlier, according to Poets & Quants, a prominent online news site that covers the graduate-business school community. In that hack, the site reported, ” campus privacy investigators found that a shared platform at the GSB potentially exposed the personal information of” thousands of people at the university.” Like the recent hack, the 2017 breach compromised the personal date of students, including the “names, birthdates, Social Security numbers and salary information for nearly 10,000 non-teaching university employees – a snapshot taken in August 2008,” said the report. “The file apparently was made accessible to human resources staff at the business school for annual salary setting. The file was exposed to the GSB community for six months before it was locked and secured” in the spring of 2017. The 2017 attack ended up costing Stanford’s chief digital officer his job. Ranga Jayaraman announced that he was leaving “after a student revealed that the school had not been forthcoming with its fellowship grants,” this newspaper reported at the time.In a statement, Jayaraman said “I take full responsibility for the failure to recognize the scope and nature of the … data exposure and report it in a timely manner to the dean and the University Information Security and Privacy Office. I would like to express my most sincere apologies … to anyone whose personal information might potentially have been compromised.” Here are some things to know about the most recent hack at Stanford: How the hack was discovered According to the Stanford Daily, a student who had submitted a FERPA request in order to review the student’s own admissions documents discovered “the vulnerability in a third-party content management system called NolijWeb that the University has used since 2009 to host scanned files.” Anyone willing to submit such a request, going back to 2015, would have been able to examine the files through NolijWeb.” The Daily reported that this student, between Jan. 28 and 29, was able to access the records of 81 students. Who else saw the files Other students who were told about the easy-to-access records were able to review personal information in 12 students’ records “during that time period while seeking to learn more about the kinds of files exposed.” The university responds Here’s the full statement released Friday by the school: “NolijWeb is an enterprise content management repository that houses documents and images in support of admissions and other university administrative processes at Stanford. The product was deployed at Stanford in 2009. The NolijWeb product line was acquired by Hyland Software in 2017, and the company has since announced the discontinuation of the product. University IT at Stanford is currently implementing a new replacement platform, and this project will be completed by the summer. “On Tuesday, February 5, University IT learned from the Stanford Daily that a Stanford student had identified a vulnerability on our NolijWeb platform. UIT confirmed the issue and reported the concern to the vendor. Hyland subsequently acknowledged the problem where, under very specific circumstances, an authenticated student account could be used to access another student’s documents – specifically, Common App applications and high school transcripts submitted to Stanford as part of the undergraduate admission process. This vulnerability was specific to a student-facing interface that students used to retrieve their own documents using the NolijWeb platform. “The NolijWeb system and the broader IT infrastructure provide multiple levels of audit logging. Analysis of these logs is ongoing and is allowing us to identify unauthorized access. At this point, we have confirmed that the records of 93 students were accessed in the period of January 28-29 and afterward, 81 of them by one student, and the rest by other students. Thus far, we have not identified any other instances of unauthorized viewing, though our review is continuing. The privacy of records is deeply important to Stanford, and we will be notifying individuals whose records were viewed. “University IT has since disabled the vulnerable component of the system that was the source of the problem. As a result, the electronic delivery of applications and high school transcripts to students who request them has been suspended, though students may still make requests for these documents to the Registrar’s Office. University IT is researching options for restoring the online access.” The Daily holds back The newspaper also reported that it had held back on reporting about the exposed data until school officials “could secure the breach so that students’ records could be protected. The student who disclosed the breach to The Daily was granted anonymity to protect them from potential legal repercussions for accessing private information while investigating the security flaw,” said the paper. The third-party content-management company is put on notice The report says that Stanford notified Nolij’s parent company Hyland Software of the breach. Hyland, which has bought Nolij in 2017, had announced in late December that was discontinuing the NolijWeb product. Stanford’s IT experts try to clean up the mess The Stanford University Information Technology (UIT) said it intended to implement “a new platform to replace the NolijWeb system by this summer,” said the Daily, adding that ” a number of schools still use NolijWeb to store admissions records. It is unclear how many schools using NolijWeb give students access to the online documents, or how many might be subject to the vulnerability.” The company’s response? The Daily said its reporters had “reached out to eight different executives at Hyland Software for comment and expressed concern that other schools’ data may be similarly compromised by NolijWeb. Alexa Marinos, Hyland’s Senior Manager of Corporate Communications, confirmed receiving The Daily’s phone and email requests for comment, made over the course of a week. However, the company provided no statement on the matter.” Stanford students weigh in Jonathan Lipman, sophomore, told this newspaper: “I’m glad the student who first discovered the breach acted morally and worked to have the breach closed before malicious actors scraped all undergraduate students’ admissions data. It’s a bit embarrassing that Stanford is using software that is no longer supported (NolijWeb was discontinued on December 31, 2018 according to its website). I think this demonstrates the importance of programs like the Bug Bounty. While I understand that UIT is concerned mostly with external security threats, I was both shocked and concerned that Stanford does not conduct security audits from multiple trust levels (student, staff, alumni, etc…). Some of the best hackers in the country have Stanford logins and it would seem prudent to conduct penetration tests accordingly. “I can’t say I’m particularly shocked — Stanford has a sprawling IT infrastructure with many external vendors and legacy internal systems. It’s a difficult task to constantly maintain high levels of defense on all of these systems..” Sophomore Ben Esposito said: “Stanford keeps running into trouble over data breaches precisely because it holds an unnecessary large amount of data on its students. If it held only the most essential data, they would be better able to prioritize which data to keep especially secure.” David Jaffe, also a sophomore, said: “Stanford should look into investing in the incredible abilities of it’s students by offering more opportunities for students to support the university’s IT infrastructure. I know many great students with underutilized technical skills that, from what I’ve noticed, have been more than happy to assist others for free just for the experience.” Anna Sofia Lesiv contributed reporting to this story. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Personal information of students exposed in Stanford data breach Destry Winant (Feb 19)