Cybersecurity and the Stanford U. Breach
They say data is the new oil due to its value. Colleges and universities have this new target for attackers in abundance. For each student, the institution has their social security numbers, permanent address, courses, grades, personal signatures, and other data. This is very useful for a number of reasons, including selling the data on the dark web, and identity theft. These issues can arise intentionally with a breach by a third party, or unintentionally with a misconfiguration of sorts. Stanford University is no different than the others as a target and depository for data and information.
Stanford University contracted with a third party, Perceptive Software, to scan and host a student’s personal documents. This was accessed through the third party’s software, Nolij Web. Stanford University had used this system since 2009 as a document management system. Starting in 2015, students could use this to view files after submitting a request. This software was also used by other universities.
As with any application, this needs to be configured correctly, tested, and monitored. By simply configuring the application and deploying this, without testing, the administrators are asking for a lot of problems to be dropped at their doorstep. This isn’t the first issue of this nature. At Stanford University in 2019, an incident occurred, which was reported on 2/5/2019. The students at the University have the opportunity to view their own records online. This is not unusual. Most universities have this option. The issue is, however, someone changed the numeric identification number in the URL. The record was then forwarded to the students who requested to view the files.
Fortunately, this was not widespread. This did, however, affect 93 students. The records for these students were accessed from January 28-29, 2019. For these, one student accessed 81 records using this technique. This could have been much worse. Thousands of students could have been affected.
While the issue did affect Stanford University students, it is not directly attributable to the University. The issue is actually with NolijWeb, a third party system. This was used for content management, acting as a depository for scanned filed. The University had used this since 2009.
Record Retrieval Service
The process of creating the issue was relatively direct. The student submits a Family Educational Rights and Privacy Act (FERPA) request. The student would have been provided a link to the “Student Admission Documents” information portal for Stanford University. Once the student successfully enters the portal, the student is directed to NolijWeb. Here, they enter their personal student identification number. At this point, they are able to search for their personal documents. The documents have the standard data the University would hold. This includes the social security number, home addresses, ethnicity, personal essays, citizenship, criminal status, and test scores. The issue is the network request. This request is easily modified for another student’s records. The student only has to change the file numbers in the URL. This file number, to make this worse, was not random. This made guessing not difficult.
Stanford University did notify the affected students. The records should have been better secured. The third-party and software should have been better vetted and tested. Stanford University also notified Hyland Software of the issue. This connection is with Hyland Software as the organization purchased NolijWeb in 2017.
Ingram, J., & Knowles, H. (2019, February 14). Data breach allowed students to view other student’s admission files, sensitive personal data. Retrieved from https://www.stanforddaily.com/2019/02/14/data-breach-allowed-students-to-view-other-students-admission-files-sensitive-personal-data/
Kadvany, E. (2017, December 1). Thousands of records exposed in stanford data breaches. Retrieved from https://www.paloaltoonline.com/news/201/12/01/thousands-of-records-exposed-in-stanford-data-breaches
May, P. (2019, February 18). Personal information of students exposed in stanford data breach. Retrieved from https://www.securityinfowatch.com/cybersecurity/information/-security/breach-detection/news/21068904/personal-information-of-students-exposed-in-stanford-data-breach
Nelson, P.A., Newman, C.A. (2017, December 12). Inside the Stanford breach: Exposed records lead to financial aid scandal. Retrieved from https://www.pbwt.com/data-security-law-blog/inside-the-stanford-data-breach-exposed-records-lead-to-financial-aid-scandal
Zurkus, K. (2019, February 19). Student data exposed at Stanford university. Retrieved from https://www.infosecurity-magazie.com/news/student-data-exposed-at-stanford-1/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.