Exposed student data leaves prying eyes wide open

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://citycollegenews.com/2010/09/07/exposed-student-data-leaves-prying-eyes-wide-open/

An online MCTC directory left sensitive student data and internal
documents accessible to the prying eyes of anyone with an Internet
connection since at least the summer of 2006, according to an
investigation by City College News.

Besides annual accounts-receivable reports and salary rosters, a
database spanning the last several years of work-study records
contained the names of students, their student ID numbers, the amount
which they were awarded and the amount which they had earned, sorted
by department.
However, college officials claimed that only names of department
heads, student ID numbers and work-study awards appeared in the
database. This contradicts what City College News found, but the
college said that it would investigate further for other data.

The college did not keep records of who accessed the data, according
to Jim Dillemuth, chief information officer of MCTC, who suggested
that there is no reason to suspect that the data came under
inappropriate use.

The disclosure of student data may violate the federal Family
Education Records and Privacy Act (FERPA) as well as the Minnesota
Government Data Practices Act (MGPDA), both of which govern how public
entities handle data and how they are to protect the educational
records of students.
Administration unaware

The directory, which officials confirmed in an interview belonged to
Dee Bernard, director of finance, shared a server with websites
maintained by instructors and administrative staff, but it vanished
from public view early last month as part of a planned technical
change.
Asked whether anyone had been aware of the vulnerability prior to City
College News’ investigation, Dianna Cusick, director of legal affairs,
said, “No, I wasn’t aware of it. [Dillemuth] wasn’t aware of it.”

“There was definitely a decision made over the past couple of years on
the budget-setting process that was in place through Finance to try to
be transparent about the budget process, about the budget information
and to put out information that was easily accessible to our
community,” Cusick said. “So that’s what I think we were trying to
do.”

She continued, “We weren’t aware of all of the reports that were being
put out there.”

The college made a strategic decision to make budget information
available to all who wanted to see it, she said, though it is not
clear whether the college intended to make such a broad range of
information available.

[..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php