When Ranga Jayaraman first stepped onto the campus of Stanford University in 1978, he was a self-described geeky young man with little more than $140 in his pocket and a pair of suitcases. Jayaraman had just graduated with his mechnical engineering degree from the Indian Istitute of Technology in Madras, and his foray into Stanford for graduate work was the first time he had been in the U.S.
Within four years, the tech prodigy earned three Stanford degrees, including a PhD in mechnical engineering, that landed the wunderkind a job with IBM’s prestigious Thomas J. Watson Research Center. After high-level stints with IBM, Hitachi and NVIDIA Corp., Jayaraman got the chance to claim what was in all likelihood his dream job in early 2011: To be the CIO and associate dean of one of Stanford’s most acclaimed schools, its Graduate School of Business.
To return to the institution that had helped to transform his life was in many ways the ultimate reward. After four years in the job, he was given the title of chief digital officer. Last week, he was fired by his boss, Dean Jonathan Levin, two weeks after the school disclosed a data breach of the business school’s financial aid records by an MBA student.
‘STANFORD HAS BEEN WONDERFUL TO ME & THIS GOES WITH THE TERRITORY’
Levin had known about the breach since October when Adam Allcock, now a second-year MBA student at Stanford, sent him a lengthy report analyzing the data the student accesed on the school’s computer servers. Much worse than the data breach—the result of information that was stored improperly in a shared folder in June 2016—was the discovery by Allcock that Stanford’s business school had misled thousands of applicants and donors about the way it distributes fellowship grants and financial assistance to its MBA students.
For years, the school claimed that it only awarded scholarship dollars on the basis of financial need. Allcock found that claim to be completely untrue. He discovered that Stanford had routinely funneled millions of dollars in tuition discounts to students without regard to their financial needs, often favoring admits who were female and those from the financial sector, even though many had more savings than students who received no scholarship help or less financial support.
Though Dean Levin became aware that a student had gained access to what was confidential information and Allcock’s subsequent analysis in October, he terminated Jayaraman last week after days of negative headlines in newspapers and websites all over the country. The tech veteran has no ill feelings about what happened. “Stanford has been wonderful to me and things just happen,” he says. “This goes with the territory. There are times when one has to be held accountable, and I am totally fine with it.”
LOSS OF A JOB FOR FAILING TO MOVE INFO UP THE CHAIN OF COMMAND
Jayaraman did not lose his job because a student found his way into a shared server that exposed confidential student data detailing the most recent 5,120 financial aid applications from 2,288 students, spanning a seven-year period from 2008-2009 to 2015-2016. He now finds himself unemployed because he failed to immediately notify the dean or the university of the breach when it was called to his attention in late February of this year.
With the benefit of hindsight, Jayaraman says, he should have informed his boss and the university of the issue after Allcock had alerted the school to the breach. But Jayaraman says he failed to recongize the scope and nature of the exposure when told about it from a member of his team and immediately went to work to lock down the system. At the time, he didn’t even know the student had accessed sensitive data on financial aid, and he certainly didn’t realize that the student would spend 1,500 hours analyzing the data to complile a 378-page report that would ultimately embarrass the school.
Jayaraman also did not know that the student was someone not unlike himself, a computer whiz kid who had come to Stanford with a mechanical engineering degree from the United Kingdom. At the age of 13, Allcock had built his first computer, only to set up a production line in his living room to churn out more of them to sell on Ebay. His sales for the home business was reportedly a cumulative $1.2 million. And while studying for his master’s degree in engineering, which he earned with first class honors, the then 20-year-old student was named the ‘Most Employable Young Person’ at an award ceremony sponsored by Google.
Surprisingly, perhaps, it was Allcock who let the school know about the problem in the first place–in a meeting on Feb. 23 with Jack Edwards, director of financial aid. Edwards quickly alerted Jayaraman’s team. The group was able to remove some permissions within an hour of that meeting. To secure all the files, however, they had to meticulously navigate the structure of the shared network drives, scan through the directories and validate actual permissions versus intended permissions and correct them. That took until early March.
‘THIS IS THE KIND OF STUFF THAT HAPPENS DAY IN AND DAY OUT IN IT’
“At the time this happened in February, we did all of the go-fix-the-problem steps,” recalls Jayaraman. “We made an assessment in terms of what had happened and what actions needed to be taken to fix it and prevent this from happening again. What I failed to do was ask one question: ‘What could have been the nature of the content that was in these files and folders and is there super sensitive content that would trigger additional actions like disclosure.”
After all, data breaches in IT departments are as common as dandelions in an open field. Moreover, this exposure did not result in the disclosure of emails that changed the outcome of a Presidential election or credit card leaks that led to significant fraud. In fact, the exposed files were not available to anyone outside the Graduate School of Business and the names of actual students who were given scholarship money and financial aid were not accessible.
“This is the kind of stuff that happens day in and day out in IT,” acknowledges Jayaraman. “You are always making a judgment call, beyond the immediate action of containment. In this case, when I looked at all the available information and no one was raising alarms about super sensitve information, I decided to let it go. I did not have indicators that triggered the hair on the back of my neck to stand up. In retrospect, would I do the same thing today? I would say my instinct now would be an abundance of caution. I would scan the content to see if if there is sensitivity in the data. But we don’t scan content in people’s folders as a matter of course. Our job is to provide the capablity for people to store things.”
Chronology of What Happened at Stanford
|June, 2016||Some MBA student financial aid records are stored improperly in a shared folder|
|September, 2016||Jonathan Levin, a superstar professor in Stanford’s economics department, becomes dean of the Gradaute School of Business, succeeding Garth Saloner who had resigned|
|September, 2016||More financial aid records for MBA students became accessible on the same server, now totaling 5,120 financial aid applications from 2,288 students|
|January, 2017||First-year MBA student Adam Allcock accidentally gained access to the financial aid records on a shared network server open to the entire GSB community|
|February, 2017||Allcock informs financial aid director Jack Edwards of the data breach|
|February, 2017||Chief Digital Officer Ranga Jayaraman’s team begins to lock down the system, securing all files by early March|
|October, 2017||Allcock sends to GSB Dean Jonathan Levin a 378-page analysis of GSB’s financial aid policies, finding that the school had misled thousands of applicants and students for years|
|Nov. 17, 2017||Dean Levin publicly informs GSB community of breach and concedes the school misled applicants that all its fellowship awards had been granted on the basis of financial need when that was untrue|
|Nov. 30, 2017||Dean Levin apologizes for the data breach and says he was not informed of the problem until eight months after Allcock told Edwards in financial aid|
|Dec. 1, 2017||In a contrite email to colleagues, Chief Digital Officer Jayaraman says he is leaving his job|