Inside the Stanford Breach: Exposed Records Lead to Financial Aid Scandal
A cybersecurity vulnerability at Stanford University exposed thousands of sensitive files containing details of sexual assault investigations and disciplinary actions. The story of what happened—and why it should be an object lesson for higher education. The second of a three-part series.
The culprit behind three separate data security incidents at Stanford University – exposing reams of confidential information about campus sexual assault reports, disciplinary actions, financial aid decisions and personal information for nearly 10,000 employees – was a series of misconfigured access permissions on two file-sharing platforms. As we reported last week, these incidents underscore the challenges faced by higher education in securing confidential information when databases and files proliferate across complex information systems and networks.
They also highlight the headline risk and reputational harm that can result from a breach that exposes sensitive information about the inner workings of an organization. At Stanford, beyond inadvertently disclosing sensitive personal information and the data security vulnerabilities themselves, data from the breach revealed that thousands of financial aid donors and applicants had potentially been misled for years about the way the university doled out financial assistance to MBA students. The school claimed it awarded financial aid based on need, but material from the data breach showed that in many cases Stanford provided financial assistance regardless of financial need, favoring female students and those from the financial services industry. The long-term implications of this news for Stanford’s business school are unclear, but it undoubtedly begs broader questions about the multi-dimensional risks posed when sensitive data –not intended for public consumption– becomes a matter of public record.
In Part 2 of our series, we look at the two separate incidents affecting Stanford’s Graduate School of Business and piece together the timeline for both mishaps. Where possible, we use the university’s own words taken from public statements to describe how each incident unfolded.
June 2016 – “Some confidential financial aid files on a shared server maintained by the GSB were accidentally made available to the GSB community.”
September 2016 – Folder permissions for a file on the same shared server “containing names, birthdates, Social Security numbers and salary information for nearly 10,000 non-teaching university employees” exposed by changing the file’s access permissions, “making the file inadvertently accessible on the GSB shared drive. The file was exposed to the GSB community for six months ….”
January 2017 – Stanford MBA student, Adam Allcock, discovers the financial aid vulnerability in January 2017, which exposed 14 terabytes of student data “detailing the most recent 5,120 financial aid applications from 2,288 students, spanning a seven-year period” through 2017.
February 2017 – “ [T]he GSB IT team recognized there was a permission problem and promptly secured all of the files on the drive.”
March 2017 – Stanford IT team concludes that “all files were secured,” including the financial aid data and the personal data for Stanford non-teaching employees. However, the IT team fails to report the data exposures to the GSB dean or relevant university officials.
October 27, 2017 – The June 2016 financial aid data exposure is first “reported to the University Privacy Office by the GSB….”
November 9, 2017 – Stanford Daily newspaper discovered and reported to campus privacy authorities that data on files containing de-identified sexual assault reports being gathered under the Clery Act and emails about student disciplinary cases, as well comparative data of statistics from other universities, was publicly accessible at Stanford and other schools. The paper waited to publicly report on the data security failure until the school had corrected the exposure.
November 17, 2017 – GSB Dean Jonathan Levin writes to the school community about the financial aid data exposure: “There is no excuse for this compromise of privacy and security, and I intend to do everything possible to ensure that it does not happen in the future.”
November 21, 2017 – Stanford University Privacy Office discovers the September 2016 employee data breach – the exposure of a file containing personal information for “10,000 personnel employed throughout university in August 2008” – and determine that “[t]he file was exposed to the GSB community for six months before it was locked and secured last March 3.”
November 30, 2017 – Poets & Quants, the national business school website, reports on Allcock’s discovery of the financial aid vulnerability. Allcock spent 1,500 hours analyzing the data and compiled a 378-page report, which stated that the school had misled applications concerning how fellowship awards had been granted. According to Allcock, his research based on the exposed data revealed that “[t]he GSB secretly ranks students as to how valuable (or replaceable) they were seen, and awarded financial aid on that basis. Not only has the GSB also been systematically discriminating by gender, international status and more while lying to their faces for the last 10 to ~25 years.”
December 1, 2017 – Stanford acknowledges that “one shared platform” at the business school “potentially exposed the personal information of nearly 10,000 non-teaching staff … as well as confidential financial aid information for MBA students.” The school also admits that its IT team “failed to understand the scope of the exposure and did not report it to the GSB dean or relevant university offices for further investigation.”
December 1, 2017 – Chief Digital Officer leaves position with Stanford GSB.
December 9, 2017 – An editorial in The Harbus, the Harvard Business School publication, argues that Stanford’s handling of the incident “represents gross negligence by the Stanford Administration in their duty to uphold the most important element of any elite business school degree: the school’s brand.”
In our final installment, we’ll look at the third incident, which exposed sexual assault investigations and disciplinary actions.