Cloud Hosting

NORMAN Private and sensitive information about past and present University of Oklahoma students was available to anyone with a campus-issued email account.

Student records with details as sensitive as financial aid information, Social Security numbers and eligibility status could be accessed through a document sharing system linked to campus emails over the course of a month. It was first discovered by OUs student-run newspaper, The Oklahoma Daily, which notified university administration and ran a story Wednesday about the type of records available.

Upon learning of the security issue much of the data available was protected by the Family Educational Rights and Privacy Act (FERPA) OU shut down the Microsoft file sharing program Delve, which was available to students through the campus Microsoft Office 365 software. According to The Dailys report, users were able to search for documents and records with information about other students.

At no point was the security of OU IT systems breached,saidMatt Hamilton, registrar and vice president for enrollment and student financial services. Rather, some sensitive files were inadvertently made accessible to OU account holders due to a misunderstanding of privacy settings.

In his statement, Hamilton contends no unauthorized person other than the author of the report accessed any of the files mentioned in the OU Daily Story.

Microsoft Delve works with another program, SharePoint, to allow users to share and access documents. Users place documents in SharePoint; Delve enables them to search for those documents.

Any SharePoint site with the open privacy setting was searchable to any user within the OU system, Hamilton said. This is how The Daily was able to access the sensitive data in question.

In its story, The Daily notes that any data gathered for the purposes of the story was deleted once the story was published.

It also states no stories will be written based on any records found.

The records available, according to The Daily, ranged from scholarship money students received to Social Security numbers, academic performance and eligibility of student athletes based on drug test results, academic performance and recruiting violations.

The records were made available when the university moved SharePoint to cloud servers May 14, OU spokesperson Rowdy Gilbert said.

Hamilton said some OU departments used the program to share files with each other, which is legal under FERPA.

However, in some cases, the privacy setting options of these sites were misinterpreted, inadvertently allowing access to any OU account holder, Hamilton said.

Delve remains shut down to any OU user. The SharePoint sites mentioned in The Dailys story have now had access restricted to authorized staff users only, Hamilton said.

While there was no outside breach of our files, we understand and acknowledge concerns about the vulnerability of sensitive data, he said. We rectified the situation immediately and can assure students that their FERPA-protected files are secure. Moving forward, we will continue to evaluate our privacy measures to ensure absolute protection of personal data.

Gilbert said since OU faculty and staff handle sensitive information daily, there are strict guidelines and expectations they are required to uphold.

We have no evidence that this expectation has been violated, Gilbert said.

Students reacted to the report with concern. While there is no sense the information was made available on purpose, there is a worry the records were so widely available at all.

I dont think the university was using the files and information for anything negative, but its an issue that anyone, not just school employees, could look at or use that information,saidDan Williams, a junior studying political science. I think taking it down is a great response, but I think they need to be constantly monitoring data inside of OU.

We switch platforms all the time, and any time you make these changes, you have to make sure the data is safe. Its possible that private information is out in the public and we dont know about it, and that is very concerning.

According to The Daily's findings, the records that were available include:

29,000-plus cases of protected data disclosed

18,668 financial aid records of freshman classes from 2012-2016

4,585 Pell Grant recipients

626 semester GPAs for student athletes and managers

539 visa types and statuses for international students

133 semester GPAs for students on President Leadership Council

30 Social Security numbers

Read more:
Student records unintentionally made public on OU mail servers - Norman Transcript