The IT Department at Dixie State University unintentionally exposed the personal data of 19 journalism scholarship students over the course of six days in November.
The incident occurred on the DSU website due to a configuration change that removed the security setting on the journalism scholarship page. This allowed anyone to view the journalism scholarship applications for 19 students online. Google accessed the page before IT re-secured the information and created a snapshot called a cached copy that still remained on Google for about two months.
The leaked information included in those applications were the names of the students, their birthdates, phone numbers, home address, emails, Dixie ID numbers, majors, GPAs and an optional resume attachment. Bank account information, transcripts and social security numbers were not required on the application, so they were not exposed.
“At this point, we’re not sure how the page got unsecure,” said Rex Frisbey, webmaster of information technology services at DSU. “Whether we were working on it and we accidentally hit the checkbox to unsecure it or if when we updated our production it missed the update — we’re not 100 percent sure.”
Information security officer Andrew Goble said the change to the page that allowed the data exposure was made on Nov. 9, 2016 and was later fixed on Nov. 15, 2016. Google’s bots accessed the page, indexed the information, and created a cached copy that was still accessible by January.
“So you had a six-day period where this page was accessible to anybody who knew how to look for it,” Goble said. “It wasn’t made intentionally; it was an accident.”
Wendy Stabler, a senior English major from Calgary, Canada, stumbled upon the exposed information on Jan. 10. by chance. Stabler said she was Googling an old website for a business she ran and her name, including all her private information and a PDF of her resume, pulled up.
“I’m concerned because my home address is now online,” she said. “My private cell phone number and my birthdate, now all that’s missing is my social security number. There were certain things that I had been really protective of and now they’re exposed. My concern is always identity theft, so if a hacker comes across this information, it’s not too tough with every other piece of information to get a social security card.”
Stabler immediately notified DSU IT of the security exposure, and they began working with Google to have the information taken down.
The DSU Information Security Office sent the affected students an email on Thursday, informing them of the security exposure that occurred with the DSU website in November along with assuring them that they worked with Google and the cached information was removed from their servers Jan. 13.
Hanna Pollock, a sophomore media studies major from Stansbury Park, said Stabler first made her aware of the information exposure — not the university — by telling her to Google herself.
“My phone number and address were on the internet for anyone to see,” Pollock said. “If a stalker wanted to look me up, he or she could easily find me and harass me over phone or by coming to my apartment. I don’t even know how long the information was visible to the public, so who knows what people could’ve done.”
Gary Koeven, the chief information officer at DSU, said the university has a specialized insurance policy for these sorts of incidents. Under the Family Educational Rights and Privacy Act, the university has no legal responsibility to notify the students in this case because no social security number, financial data or credit card information was exposed.
“The risk of any of these students having any problem because of this seems very very low,” Koeven said. “But still, we should’ve protected that information. There was a mistake that was made with the web that caused it to happen, so we decided we would have an abundance of caution and let the students know what had happened.”
Although insurance isn’t going to cover it, according to the email DSU sent the students, the university is offering each of the 19 students a year of complimentary Experian’s ProtectMyID Alert as a precaution.
Pollock said DSU and the IT department need to take situations like this more seriously.
“The IT department at DSU isn’t as secure as I originally thought,” she said. “They sent a mass email as an apology, but that doesn’t protect me from what they’ve already released. They need to hire more professional people who take our privacy seriously.”