In the Fall 2021 semester, a vulnerability in the university’s SharePoint system was discovered. The university addressed and resolved the issue once made aware of the vulnerability, and issued a statement to OCU Student Publications confirming that the vulnerability was resolved by campus technology.
A student employee discovered the data breach; their name has been withheld from this story. The student employee said they discovered documents containing students’ personal identifiable information. The student employee said this information included names, addresses, GPAs, and more. “These documents seemed to be accessible by anyone with a university E-mail address,” said the student employee.
“Last month, university officials became aware of a small number of documents that had been stored within the SharePoint system without the appropriate security restrictions. A limited number of these documents contained information of former and current OCU students,” stated a university statement to OCU Student Publications.
“Officials immediately secured the documents in question and have since verified that none of the documents were accessed by any individual or entity outside of the university.”
“I discovered the data vulnerability on accident. I wanted to learn more about our university and decided accessing public files shared by and with the university was one way to do it,” said the student employee.
After finding documents of purely numerical student population records and committee reports, the student employee was suspicious that something was wrong. The student employee said these documents “raised red flags.” After finding a document containing financial information for the film department, they said they knew it was time to make a report to the Helpdesk.
The student employee said the Helpdesk asked them to send links to these vulnerable files. “I began looking for the Excel documents on the numerical student population, but instead found Excel documents with student personal identifiable information,” the student employee said. The student employee said these documents included names, addresses and GPAs.
“After copying the links to about a dozen files and seeing no end in sight, I decided it was time to stop,” the student employee said.
The student employee said the university took steps to resolve the issue after receiving these links.
“While personal information was not compromised, Campus Technology Services has taken the opportunity to review its training procedures to help protect the university against future data storage and management vulnerabilities,” stated the university.
Leave a Reply