Incorrect permissions settings on a Graduate School of Business (GSB) server exposed the names, birthdays, salaries and social security numbers of 10,000 staff employed University-wide in 2008 for six months last year, Stanford reported Friday.
While the University does not have evidence that the personal information leaked was accessed, it began notifying those affected Friday. The Information Security office has also hired a data forensics team to investigate across the University for privacy breaches and is asking all groups on campus to “urgently” review permissions on their files.
Revelations of the breach follow news broken yesterday by Poets and Quants that an MBA student found, re-identified and analyzed confidential data on financial aid spanning 2008 to 2015; any member of the GSB community could access information that included students’ income, assets and prior employment. The student discovered that the GSB does not award fellowship money solely on need, as it previously claimed, instead offering additional funds to some candidates. According to the student’s analysis, the GSB’s aid favored women and showed bias against international students.
Recent University privacy breaches extend beyond the GSB. Last month, The Daily also discovered permissions errors in a University-wide file-sharing system called AFS that let anyone from the Stanford community – as well as people from other schools that use the same platform – access information on sexual assault cases prepared from campus therapy sessions and emails about student conduct issues, among other confidential information.
“We extend the deepest apology to the employees and former Stanford students who expected that their personal information would be treated with the greatest care by campus offices,” Randy Livingston, vice president for business affairs, told Stanford News Friday. “This is absolutely unacceptable. Our community expects that we will keep their personal information confidential and secure, and we have failed to do so.”
Stanford will offer credit monitoring and fraud protection to those involved in the GSB leaks and has established a call center to answer questions that can be reached at (888) 684-4998.
According to Stanford News, the University only discovered the leaks involving thousands of non-teaching employees on Nov. 27. The data, used for setting salaries, was open to members of the GSB.
Investigations into a breach involving the GSB began back in February, however, when the MBA student brought his financial aid findings to Jack Edwards, director of financial aid for the GSB, according to Poets and Quants’ article. The GSB IT team secured the data he had accessed within an hour. But IT did not recognize how far the leaks extended and did not pass the breach of privacy on to other offices or the GSB Dean for further investigation, according to Stanford News.
The University said the personally identifying information on employees was inadvertently made public in September of 2016 and was locked by early March along with other improperly shared GSB files.
Ranga Jayaraman, associate dean and chief digital officer for the GSB, announced in an email Friday to the GSB’s faculty, student and staff lists that he is leaving his job.
“I take full responsibility for the failure to recognize the scope and nature of the J Drive data exposure and report it in a timely manner to the Dean and the University Information Security and Privacy Offices,” he wrote. “I am fully accountable for this inexcusable error in judgement.”
Jayaraman, a tech veteran who was previously Chief Information Officer at Nvidia, said in a phone call to The Daily that, earlier this year, his team was “so focused” on fixing permissions on the folder containing the financial aid files that they didn’t search the folder to determine what else was exposed. Explaining why the IT team simply moved on, he said file permissions are a “regular problem in the world of IT,” though he could not remember dealing with other permissions errors during his tenure at Stanford.
He told The Daily that while he did not resign, he understands that leaders of technology organizations have to answer for mistakes.
“Things like this can happen and do happen, and there are times that we have to … take accountability,” he said. “So I signed up for this.”
GSB dean Jonathan Levin addressed the leak of financial aid data in a Nov. 17 email to GSB students, faculty and staff, stating that the aid information was improperly accessible starting in June of 2016. He said he personally learned of the issue only in late October upon receiving the MBA’s students report and that the GSB then launched an investigation.
In response to the data breach episodes across multiple file-sharing platforms, Stanford’s Information Security office and IT staff are “working … to develop a comprehensive plan for addressing this problem broadly and sustainably,” the Stanford News article stated. The University plans to conduct audits of file permissions both automatically and manually, as well as work to raise awareness about potential data leak issues.
However, Michael Duff, assistant vice president and chief information security officer, cautioned last month in response to the AFS leak that the scale of the University’s various file systems mean that permissions errors are not “something there’s a 100 percent solution for.”
“The challenge is how to achieve a zero error rate in the permissions across the hundreds of millions of files [and] folders stored at Stanford,” Duff said.
Contact Hannah Knowles at hknowles ‘at’ stanford.edu.
This post has been updated with information about the departure of Ranga Jayaraman.
An earlier version of this article incorrectly stated that the server exposed the data of GSB staff, not University-wide staff. The Daily regrets this error.