Security lapse makes GPAs visible
Some may not consider this a breach, and it involves no financial data. The university pointed out that the exposed data could not be used for ID theft, and they’re probably quite correct in that, but what about FERPA and the privacy of education records?
The University [of Oregon] has fixed a security breach in its DuckWeb system after a student used it to look at three other students’ degree audits.
The hole in DuckWeb’s security allowed Web users to view certain other students’ degree audits by changing digits in the URL for a printer-friendly version of their own audits, which contain information about a student’s grades and his or her progress toward a degree.[…]
The glitch originated in the system the University uses to upload degree audits. All degree audits for which information has changed on a given day are uploaded simultaneously that night and assigned what Eveland said is a randomly-generated nine-digit number called a batch number. That number is at the end of the URL for the printer-friendly version of the audit and it is the one Bachhuber used to access the degree audits.
Eveland said only the first audit uploaded on a given night was accessible through the glitch. She also said the University removes the data tied to the batch numbers every 30 days, which she said means that only “15 to 20” audits would have been available to those who knew about the glitch at any given time during a 30-day period.
“At first it struck me as, ‘Wow, this is a really stupid security hole,’” Bachhuber said. But he said that he later entered the URL for his own degree audit while logged out of DuckWeb and found he could still access it.
“My own personal data was exposed to anyone publicly,” Bachhuber said. “It wasn’t indexed on Google or anything, but if you understood the structure, you could get my degree audit.”
University officials downplayed the vulnerability of students’ data through the loophole.
“The information that was available on degree audits, none of it could have been used for identity theft,” University spokesperson Heidi Hiaasen said.
Read more in the Oregon Daily Emerald. Kudos to the student paper for covering the incident.