From a lengthy and apologetic email sent in the middle of last week by Seattle University President Fr. Stephen Sundborg, S.J., we learned that an error in the university’s tech infrastructure left the data of 628 students exposed—including Social Security numbers and medical information.
According to the Chief Technology Officer Chuck Porter, the mistake exposed the identifying social security information of 615 current and former students who had applied for jobs within the department of Public Safety and Transportation between 2010, when the folder was created, and this February, when the error was discovered and corrected.
Another 13 individuals who had attended a new student orientation also had private data exposed—though for this group that information included allergy and other personal medical data, according to Porter.
It is unclear exactly why the information was left public—whether it was an error made when the folders were created or whether one of the users of the folders changed the permission settings at some point.
The accessibility of the private information was actually exposed, according to Porter, by a male Seattle U student. He reported that the student had discovered the information was public and sent an email to the president’s office on Feb. 21. By 9 a.m., Porter recalled, he was in his office speaking with the student.
“By drawing it to our attention he kicked off the investigation,” Porter said. “We found the root cause of the problem within about an hour and had corrected it within about 90 minutes, so he was really invaluable for pointing it out to us.”
The university appears to have borrowed a great deal of their response plan from the response that the University of Maryland took when a hacker was able to access and copy sensitive information from over 300,000 former and current students at the university. The incident at Maryland, coincidentally, took place only three days before the discovery of the error in Seattle U’s own system.
Like Maryland, Seattle U administrators set up a web page (with the url extension /datasecurity) that included an FAQ with similar language informing students of the technical details of the breach and a letter from the university’s president. Both universities also offered a year of identity protection services to those affected and provided access to a hotline at which those affected could become more informed.
The similarities appear to end there, however. The University of Maryland soon after expanded their offering to include five years of free protection. Additionally, while administration at the University of Maryland first informed their community of the breach the day after it was discovered, Seattle U didn’t inform its community until the conclusion of its forensic investigation, almost two months later.
This fact is discouraging to students who were victims of the breach. Alum Alex Dvorsky graduated from Seattle U in 2012 and is one such student. For him, the one-year security protection offer doesn’t really matter.
Instead, he wishes he had been informed of the breach sooner so that he could have started keeping an eye on his accounts and information until the problem was solved.
“This breach has probably been around for a while even if it was only discovered in February,” he said. “If something’s already happened I have no way of knowing. It has the potential to be too little, too late.”
From OIT’s published FAQ, it appears the reluctance to inform early was born out of desire to fully understand the extent of the error.
“We are sharing what we know with you now that we have completed the investigation and been able to ascertain the facts, understand precisely who was affected and determine the extent of the information that was vulnerable,” the FAQ reads.
Porter was careful to emphasize during his interview with The Spectator, however, that what happened at Maryland was quite different to what occurred here.
“In the grand scheme of things, it wasn’t like the breach at University of Maryland, where somebody intruded, it was a simple error that we corrected as soon as we found it,” Porter said.
The department of Public Safety and Transportation was, according to Porter, the only one at Seattle U that had been collecting Social Security numbers on their applications.
The practice is abnormal, and appears to be largely and loudly decried by professional human resources organizations. Porter, too, expressed some confusion as to why the information was still sought on applications.
“I don’t [know why social security numbers were being collected on applications], but they’re not being collected anymore,” Porter said. “The moment we found out about it we did two things: first, we changed the permissions; then, we asked Public Safety to change their application so it no longer included social security number.”