Officials at Stanford (Calif.) University are investigating three instances in which misconfigured permissions on file-sharing platforms may have exposed student and employee personal and financial information, a university spokeswoman confirmed to Becker's Hospital Review Dec. 5.
Here are six things to know.
1. In February, the IT team at the Stanford Graduate School of Business discovered some confidential financial aid files on a shared server were unintentionally made available to the GSB community in June 2016 and September 2016. The team secured the files in March. However, the team "failed to understand the scope" of the breach and did not report the incident to the GSB dean or other relevant university offices until Oct. 27, when they reported it to the university privacy office, according to Stanford officials.
2. The shared platform at the GSB also potentially exposed the personal data of roughly 10,000 non-teaching staff employed throughout the university in August 2008, as well as financial aid information for MBA students. Stanford officials said they do not have evidence personally identifiable information had been accessed from the GSB file, but as a precaution, it began mailing letters to affected individuals Dec. 1 and is offering credit monitoring and fraud protection services.
3. The university privacy office and the GSB IT team are investigating the potentially exposed financial information, which was discovered Nov. 21. The information, which had been used for annual salary setting, included names, birthdates, Social Security numbers and salary information. In September 2016, permissions for the folder were changed and the file was inadvertently accessible on the GSB shared dive until it was locked and secured in March.
4. A misconfiguration on another platform, called Andrew File Sharing, led to the exposure of files containing de-identified sexual assault reports gathered under the Clery Act, as well as some emails sent to the then-Student Judicial Affairs office regarding student disciplinary cases. Most of the files were from 2005 to 2012 and were managed by six different campus offices. A student staff member of the Stanford Daily discovered and reported the exposure to campus privacy authorities Nov. 9.
"We were able to secure confidential AFS files within two hours of learning of the exposure, and promptly launched an intensive investigation. In addition, we have urgently reached out to all managers of shared file servers to review access permissions and to delete old files," said Wendi Wright, Stanford's chief privacy officer.
5. Officials from information security and university privacy offices at Stanford are reviewing all university file-sharing platforms to ensure personal and confidential information is secured.
"While we strive for a zero-error rate in permissions across the millions of files and folders stored and shared at Stanford, in this case we fell short of our goal," said Michael Duff, the university's chief information security officer. "The university's decentralized structure requires every file owner to take responsibility for securing information and assuring that access permissions are periodically reviewed and appropriate."
6. On Dec. 2, Ranga Jayaraman, PhD, chief digital officer of the GSB, stepped down from his role, apologizing for having failed to disclose the data breaches in a timely matter, SFGate reports.
"I take full responsibility for the failure to recognize the scope and nature of the ... data exposure and report it in a timely manner to the Dean and the University Information Security and Privacy Office," Dr. Jayaraman wrote in an email to colleagues. "I would like to express my most sincere apologies ... to anyone whose personal information might potentially have been compromised."
More articles on cybersecurity:
Lowell General Hospital notifies 769 patients of data exposure resulting from employee wrongdoing
Former employee at San Antonio clinic steals 28k patients' information
Henry Ford Health System notifies 18k patients of data breach involving compromised email