OU unintentionally exposed thousands of students’ educational records — including social security numbers, financial aid information and grades in records dating to at least 2002 — through lax privacy settings in a campus file-sharing network, violating federal law.
The university scrambled to safeguard the files late Tuesday after learning The Daily had discovered the breach last week. The Daily spoke to vice president for admissions and records Matt Hamilton Tuesday afternoon, when he said OU IT was aware of the breach and was working to secure the files. (Update: On Wednesday afternoon, Hamilton sent The Daily a response letter regarding the breach.)
OU press secretary Matt Epting provided the following statement late Tuesday night: “The IT Security team has found no evidence to confirm that there has been a breach by an outside party, and is investigating the scenario that enabled an individual to access the files the individual has claimed to download.”
At no point did The Daily suggest there had been an outside breach, but rather that lax security measures allowed email users more access to educational records than should have been allowed.
In just 30 of the hundreds of documents made publicly discoverable on Microsoft Office Delve, there were more than 29,000 instances in which students’ private information was made public to users within OU’s email system. Each instance could constitute a violation of the Family Educational Rights and Privacy Act, which gives students control over who can access their educational records.
“This isn't even gray. It's very clear in FERPA — you've got to have signed consent to do this or meet one of the exceptions to signed consent,” said FERPA expert LeRoy Rooker when briefed on the scope of the OU breach. “This doesn't fit either of these.”
Rooker headed the Family Policy Compliance Office in the U.S. Department of Education, the office that administers FERPA, for more than two decades. He said he was certain the files were disclosed unintentionally: no one sets out to violate FERPA. Schools violating the law can have their federal funding pulled, though they’re always given a chance to remedy the situation and avoid the penalty.
“I know the people there, from (OU President) David Boren on down — Matt Hamilton, all of them — they're very FERPA-conscious,” Rooker said. “Something slipped through the cracks. Somewhere, somebody didn't know what they were doing or a vendor didn't educate them.”
The files became accessible to OU account holders on May 14, Hamilton said in an email Wednesday, when OU migrated SharePoint to cloud servers. He said the university is aware of which exact file directories were accessible, though because of the number and nature of the records, he said he couldn't provide a count of the number of student records in the directories.
What types of documents were disclosed?
The files disclosed in Delve ranged from harmless to potentially illegal, and they were all hiding in plain sight for anyone with an ou.edu email to stumble upon. One click from OU’s webmail page takes you to Delve, where a search bar was the only obstacle in between you and lots of information you shouldn’t have been able to see.
For example, four spreadsheets included financial information for students in the freshman classes of 2012-13, 2013-14, 2014-15 and 2015-16. The documents included students’ names and OU ID numbers, along with the amounts of money they received in scholarships, grants, loans or waivers.
Another series of spreadsheets listed students who had received grades of incomplete during the fall 2014, spring 2015, summer 2015, fall 2015, summer 2016 and fall 2016 semesters.
One document listed the names and social security numbers of 30 students, including the names of athletes now playing professionally. It’s not clear why the document existed or how the students were related.
Two others listed the visa statuses of more than 500 international students.
Several documents included information about current OU athletes’ scholarships and their eligibility statuses, including one that listed which students cannot practice this summer due to failed drug tests, recruiting violations or academic misconduct.
On the more harmless side: a student’s resume, saved in her OneDrive account, a one-sheet summarizing FERPA law and a slideshow on “Computer Security.”
When The Daily discovered the breach, reporters and editors searched for documents only to determine the scope of the breach: how far back documents dated, how many students’ information was at risk and the circumstances under which these documents seemed to be shared. The Daily will not pursue stories based on any individual documents found. The documents were not shared with other Daily staff members, and they were deleted before publication of the story.
What is Delve?
Delve is a Microsoft Office service that aims to learn about you and the people you work with to show you documents you’re working on, documents that others are working on and popular documents within your network. It aims to be intelligent, showing you information it thinks you’d be interested in. Within OU’s Office 365 system, anyone with an OU email uses Delve, whether they know it or not.
It displays files and information stored in other Microsoft Office services like OneDrive and SharePoint. Microsoft’s website reassures users about Delve’s security: “Yes, your documents are safe. Delve never changes any permissions. Only you can see your private documents in Delve.”
Privacy settings that allow files to show up in Delve are adjusted where the files are stored (like OneDrive, for example). Delve, however, can’t keep even the most sensitive files private if the person storing the document doesn’t set up the privacy settings properly.
At OU, Delve is accessible through the Office 365 system, so it works within the ou.edu email system. As of late Tuesday, Delve no longer shows any files at all. During the breach, a user could navigate to different users’ profiles or perform a search to find files, then click to see the file in a browser viewer with the option to download it.
A Microsoft representative said via email Wednesday that the company couldn't provide an interview on this topic, and directed The Daily to OU IT for more information.
What happens next?
For students whose information was improperly disclosed during the breach, there’s little recourse. FERPA does not give a student private right of action, FERPA expert and general counsel at Rhode Island School of Design Steven McDonald said. That means a student couldn’t sue OU for disclosing his or her records, he said.
Students can file a complaint about the way an institution is following FERPA with the Family Policy Compliance Office. The office investigates complaints, and if a violation were found, the office would tell the university what it needed to fix to be compliant with the law. If a university doesn’t comply, it could lose its federal funding.
To avoid data breaches, policy counsel for education privacy at the Future of Privacy Forum and FERPA expert Amelia Vance suggests schools regularly audit themselves. She said the majority of data breaches — like OU’s — happen due to human error.
“There's a lot of best practices. One that may have been useful here when it had been implemented is making sure there are periodic audits of how information is kept,” Vance said. “You go through the system and make sure this type of disclosure doesn’t happen.”
Vance said there’s more confusion in K-12 and higher education about how to ensure data is kept secure as technology changes and advances, but data breaches aren’t unique to the digital age.
“It's not entirely new. It's fairly new,” Vance said. “Breaches of student information were happening even when we had paper records.”
Hamilton said in an email Wednesday that OU would continue to work with IT to ensure its users are aware of how to securely share files.
This story was updated at 4:03 p.m. June 14 with information from OU Vice President for Admissions and Records Matt Hamilton about the duration of the breach.
This story was updated again at 4:29 p.m. June 14 to include that a Microsoft representative said in an email they couldn't provide an interview on this topic.