BREAKING NEWS: FERPA Leak

File Misconfiguration on University SharePoint leaves Student and Faculty Information Vulnerable

This is an urgent update from the Pacifican regarding your personal information. On February 23rd, at around 10:30 PM, I was searching for a personal document on my university-provided Microsoft OneDrive account when I uncovered something that I was not looking for: an excel spreadsheet that appeared to contain the Student ID Number, first and last name, and the early grades of every single student in every class in every department across the entire university for Spring 2024.  This was not an issue of my account having some weird access, the Pacifican verified that anyone with access to SharePoint could have accessed this, and other documents containing sensitive information. 

By searching my own name within the file, as well as that of a few close friends who gave me their permission, I quickly confirmed my suspicions and decided to continue searching SharePoint. Upon further investigation I uncovered files professing to hold final and early grade reports going back years and signed contracts for Benerd instructors. At that point, I had seen enough and emailed the University administration, with whom I have been in active communication with throughout this process. I wanted the University to have an opportunity to rectify the situation before I went public in hopes of preserving the security of everyone's data.   

I would like to say that this scoop was the result of a month-long investigation, into which I poured my heart and soul. I would like to say that I am a hacker who broke into the system to expose University secrets. Unfortunately, and concerningly I cannot. I use a flip phone because I hate smartphones. I have never owned a car newer than a 2000-year model because, as a shade-tree mechanic, I do not want to deal with all the technology involved with newer models (also I am poor). Anyways, the point is that I am technologically inept and yet I accidentally stumbled upon both FERPA-protected information and Personally Identifiable Information in less than an evening’s worth of snooping through our SharePoint.  

With that all being said, I do not believe that I have the technical capacity or knowledge base to tell you exactly how this occurred. What I do know is that the only files I could see were those that had been shared with administrative groups. I can only assume that at some point in the past, the settings of those groups had been incorrectly set to be available to everyone with a Pacific OneDrive Account. Something the IT department has since rectified, according to a statement released by administration earlier this morning.

“While the review found that none of these errors were made maliciously, they were significant errors, nonetheless. The review is now completed, all data has been secured and the university is putting in new safety measures to ensure these problems do not occur in the future, including tightening SharePoint policies and procedures to limit access only to university employees with a need for the information. Additionally, the university is designing and executing new training procedures for SharePoint.”

 

In the weeks since I reported the leak, the University has acted swiftly to rectify the situation. I lost access to the documents the very next day after reporting them, and I trust the same goes for everyone. I am sure that moving forward, the University will continue to treat the security of our FERPA information with the gravity it deserves. As always, I will continue to keep you informed as developments arise.

 If you have any information you think the student body should be aware of, or any tips for protecting your private information, please share in the comments or reach out to the Pacifican at thepacificanuop@gmail.com. 


Previous
Previous

ASUOP: The Case 5 Controversy

Next
Next

Information Station 5