Data Exposure At Stanford GSB Wider Than Reported

The iconic Hoover Tower at Stanford University

Stanford University today (Dec. 1) disclosed that a previously revealed breach of confidential information on a computer server at its Graduate School of Business is much wider than earlier reported. Campus privacy investigators found that a shared platform at the GSB potentially exposed the personal information of nearly 10,000 non-teaching staff at the university.

Stanford said an investigation of what it is calling an “exposure” on a GSB server contained the names, birthdates, Social Security numbers and salary information for nearly 10,000 non-teaching university employees – a snapshot taken in August 2008. The file apparently was made accessible to human resources stafff at the business school for annual salary setting. The file was exposed to the GSB community for six months before it was locked and secured last March 3.

This latest admission comes after Poets&Quants revealed that a computer breach at the business school had allowed at least one MBA student to gain access to confidential financial aid information for MBA students (see Stanford GSB Misled Applicants On Financial Aid). The breach exposed 14 terabytes of highly confidential student data detailing the most recent 5,120 financial aid applications from 2,288 students, spanning a seven-year period from 2008-2009 to 2015-2016.

STANFORD GSB’S TECH TEAM FAILED TO REPORT THE BREACH TO DEAN LEVIN

The university said these files were accidentally made available on a shared server starting in June of 2016. Other files on the same server were accessible starting in September 2016. All files were secured by early March, according to the university.

The university also disclosed today that the business school’s IT (Information Technology) team became aware of the breach of MBA financial aid information in February of 2017 but failed to report the problem to Stanford GSB Dean Jon Levin.

“At that time, the GSB IT team recognized there was a permission problem and promptly secured all of the files on the drive,” according to university spokesperson Lisa Lapin in a statement. “But they failed to understand the scope of the exposure and did not report it to the GSB dean or relevant university offices for further investigation.”

IT TOOK EIGHT MONTHS BEFORE DEAN LEVIN KNEW OF THE BREACH–FROM THE STUDENT WHO FOUND IT

The university statement did not acknowledge that its IT team only learned about the breach because the student who found the data, a first-year MBA student named Adam Allcock, had reported the problem on Feb. 23 to Jack Edwards, director of financial aid at the business school. Otherwise, the school may not have known about the exposure.

It apparently took another eight months before Dean Levin became aware of the breach. That was when Allcock says he sent him an in-depth report on the school’s financial aid practices which found that the school’s claims of granting scholarship support only on a needs-based formula was untrue.

Allcock found that Stanford had routinely granted fellowship money to students without regard to their financial needs, often favoring admits who were female and those from the financial sector, even though many had more savings than students who received no scholarship help or less financial support. His analysis also found what he termed “systemic biases against international students…This is inconsistent with a need-based financial aid system,” he wrote in the report.

DEAN CONCEDES STANFORD HAS BEEN GRANTING MERIT SCHOLARSHIPS DESPITE CLAIMS TO THE CONTRARY

It wasn’t until Nov. 17 that Levin publicly conceded that the school had failed to come clean on how it distributes financial awards to students and acknowledged the breach of confidential student data. In a statement to the GSB community issued at 6:39 p.m. on a Friday, Nov. 17, GSB Dean Jon Levin said the data has been “improperly stored in a shared folder that was accessible to all GSB faculty, staff and students. The records were anonymized and did not include names; however, they included income and asset information, and information on prior employment.”

Though the school has long insisted that it does not grant fellowship awards on the basis of merit, Dean Levin wrote that the school “has offered additional fellowship awards to candidates whose biographies make them particularly compelling and competitive in trying to attract a diverse class.”

He promised that the school would be “significantly more transparent about the principles and objectives being applied in making financial aid awards, and about how different awards are made. We are committed to working on this for the current admissions cycle.”

STANFORD ALSO DISCLOSED EXPOSURE OF SEXUAL ASSAULT DATA

Today’s statement by the university also noted that yet another file-sharing platform, widely used throughout the university, exposed a variety of information from several campus offices, including Clery Act reports of sexual violence and some confidential student disciplinary information from six to 10 years ago.

Stanford said its Information Security and University Privacy offices have been investigating the data breakdown and are continuing to review file-sharing platforms campus-wide to assure appropriate access permissions are in place.

“The university does not have any direct evidence that personally identifiable information was accessed from the GSB file,” adds Lapin, a university spokesperson, in the statement. “But as a precaution, beginning today, notification letters are being sent to all impacted employees and students who may have had personally identifiable information exposed.

“We extend the deepest apology to the employees and former Stanford students who expected that their personal information would be treated with the greatest care by campus offices,” said Randy Livingston, vice president for business affairs, in a statement. “This is absolutely unacceptable. Our community expects that we will keep their personal information confidential and secure, and we have failed to do so. The proliferation of file-sharing platforms requires that everyone be vigilant in assuring that confidential information remains secure, old files are deleted and permissions are regularly reviewed.”

DON’T MISS: STANFORD MISLED MBAS ON FINANCIAL AID