The Harvard Computer Society “HCS”, the student technology club that provides free computing services to the Harvard community, recently discovered a long running breach of student and faculty email data. One of the primary functions of HCS is to act as the administrators of mailing list. In January 2011, HCS boasted that it hosted 5,000 email lists, and 1,700 student-group and user email/web accounts. HCS discovered that email lists that were assumed to be private, were open to the public until Monday, February 20, 2017.
Reporting by The Harvard Crimson indicate that almost 1.5 million emails, some containing students’ grades, discussion about grades, and financial information were open current students, alumni, and persons with Harvard email accounts. If true, the disclosure of student grades could be a violation of Family Educational Rights and Privacy Act (FERPA).
It appears that no one ever examined the administration of access to email lists, and access rights because – this is Harvard. Everyone assumed that anyone who configured email mailing lists, would do it correctly, because – this is Harvard.
The longstanding nature of breach suggests that HCS was exempted from IT Security Audits. According to Harvard Risk Management & Audit Services, an information system audit would consist of an examination and testing of End user identity management and Access controls. If an audit was done, list administration would be low hanging fruit.
In February 2014, a former HCS member wrote an article about the history of HCS. The writer noted the following “I dug through the archives and read all 1341 emails sent over the past 13 years, from 2000 to 2013. Here’s a few of the more interesting emails I found. (I’ve replaced some email addresses and phone numbers with asterisks for privacy’s sake.)” While the messages captured in the blog appeared to be group messages, it nonetheless provides a reference point to the potential size of the breach.
The HCS Email Privacy Breach may be a violation of FERPA. Under FERPA, a school may not disclose a student’s grades to another student, without the prior written consent of the parent or eligible student. FERPA encourages institutions to self-report breaches to the U.S. Department of Education Family Policy Compliance Office. It’s too early to tell what Harvard will do.
Recent Comments