Alerts over 3rd campus security breach
Stanford reports personal data was visible on school servers
Stanford University mailed alerts Friday to nearly 10,000 employees and former employees whose Social Security numbers, birth dates and salaries were visible on campus servers for six months.
The incident, pertaining to employee information from 2008, was the third data breach acknowledged by the campus in the last two weeks.
Technology officials in the Graduate School of Business have known since February about the massive exposure — which was not a hack, but an employee slip-up — and although the tech team patched it, they never told the school’s dean, according to a statement posted on the Stanford website on Friday.
The team “failed to understand the scope of the exposure and did not report it to the (business school’s) dean or relevant university offices for further investigation,” the statement from campus spokeswoman Lisa Lapin said.
The problem might never have come to light had it not been for a business school student and his discovery of a different data breach of confidential financial aid data for graduate students in the business school. The Chronicle reported Friday about that glitch, which allowed public access to thousands of confidential student financial aid
records.
In the third case, the university notified more than 200 employees and alumni last month that confidential files — including information from personal counseling sessions they may have had — had been accessible to users from more than 50 other college campuses, according to an article in the Stanford Daily. Stanford officials learned of that problem from the student reporters, who withheld publication until the breach could be patched.
Stanford officials said Friday they have no evidence that personally identifiable information had been accessed. They are mailing notification letters to impacted students and employees as a precaution, and making credit monitoring and fraud protection services available to them.
“We extend the deepest apology to the employees and former Stanford students who expected that their personal information would be treated with the greatest care by campus offices,” Randy Livingston, campus vice president for business affairs, said in the campus statement. “This is absolutely unacceptable. Our community expects that we will keep their personal information confidential and secure, and we have failed to do so.”
The exposure of salary and Social Security data began in September 2016, when a human relations employee examining the information from August 2008 changed the site’s privacy settings and inadvertently made the confidential content from that period available for review within the business school, said the statement from Lapin, the spokeswoman.
Lapin said business school officials discovered the problem six months later “after learning that a (business school) student had accessed confidential information on financial aid.” They secured the data by March 3.
The student, Adam Allcock, found the financial aid data on the campus server in February and downloaded it so he could analyze how the business school awarded scholarship money. Business school technology officials learned about it when Allcock asked questions about the data, Lapin said.
The exposure of the financial aid data — and, subsequently, the vulnerability of thousands of employees’ salary and Social Security numbers — might never have come to light if Allcock had not presented his 378-page statistical analysis to Jonathan Levin, the business school’s dean, in October.
The Chronicle reported that Allcock’s analysis revealed that Stanford had misled applicants for years about how it awarded scholarships to the business school, claiming it gave them only to needy students rather than to its preferred candidates.
Levin acknowledged the accuracy of Allcock’s account on Nov. 17 and promised to be “significantly more transparent” about how awards are granted. Nanette Asimov is a San Francisco Chronicle staff writer. Email: nasimov@ sfchronicle.com Twitter: @NanetteAsimov