A series of cybersecurity vulnerabilities at Stanford University exposed thousands of sensitive files containing details of sexual assault investigations, disciplinary actions and more. The details of what happened—and why it should be an object lesson for higher education. A special three-part blog series.

Part 1

In three separate data security incidents over the past year at Stanford University, thousands of digital files were left exposed for months – perhaps longer – that contained details of sexual assault investigations, disciplinary actions and financial aid decisions on the school’s campus-wide IT network.

In a post Friday, the school admitted that “misconfigured permissions” – the gateways used to access databases and files – on two of the school’s file-sharing programs exposed “reports of sexual violence and some confidential student disciplinary information from six to 10 years ago” and “the personal information of nearly 10,000 non-teaching staff who were employed throughout the university in August 2008, as well as confidential financial aid information for MBA students.”

The Stanford incidents underscore the challenges faced by higher education in dealing with data sprawl – the all too common phenomena of sensitive information residing in databases and files – and putting proper controls in place to effectively limit user access.

The information exposed at Stanford falls into four categories:

  • At least 38 de-identified sexual assault files based on counseling sessions that were gathered to comply with federal law that requires colleges and universities that participate in federal financial aid programs to keep and disclose information about campus crime;

  • Nearly 50 emails addressed to the Office of Judicial Affairs related to student disciplinary actions from 2005-1012;

  • Confidential financial aid files – including decision-making information – for Stanford’s Graduate School of Business; and

  • Salary information, Social Security numbers, and birthdates belonging to nearly 10,000 non-teaching university employees.

Stanford officials have taken full responsibility. “This is absolutely unacceptable. Our community expects that we will keep their personal information confidential and secure, and we have failed to do so,” said Randy Livingston, vice president for business affairs, whose department includes oversight of University Information Technology and the Information Security and University Privacy offices.

Many universities – like private sector companies – have experienced security incidents or data breaches that compromise stockpiles of highly sensitive information. Last month, the academic information for 1,700 Rutgers University students was exposed including college ID numbers, cumulative grade point averages and class schedules due to an “administrative error.”

And at Michigan State University, a hacker gained access to a server last year that contained a database of 400,000 records that included names, Social Security numbers, college ID numbers and dates of birth. In June, the University of Oklahoma left exposed 29,000 student files “due to a misunderstanding of privacy settings.”