The University of Oklahoma is responding to a leak of thousands of current and former students’ personal information.
The OU Daily, the campus' student newspaper, found there were 29,000 instances where restricted information on student’s was made accessible to everyone with an OU email account.
The data, that dated back to 2002, included social security numbers, financial aid information and grades, according to the OU Daily.
Specifically, the student newspaper reports the amount students received in scholarships, grants, loans and waivers, student identification numbers and visa statuses of more than 500 international students were available. They also found a list of students who received grades of “incomplete” in classes and names and social securities of 30 students, including some current professional athletes. The paper also reports finding current OU athletes scholarships and a list of athletes that cannot practice this summer for various reasons.
The documents accessed by the OU Daily violate the Family Educational Rights and Privacy Act. Violations put universities at risk of losing federal funding if they are not corrected.
Matt Hamilton, registrar and vice president for enrollment and student financial services at OU, issued the following statement:
“I appreciate the opportunity to respond to the concerns raised about the privacy of FERPA-protected data. The security of our students’ personal information is our highest priority.
First, I want to be clear: At no point was the security of OU IT systems breached. Rather, some sensitive files were inadvertently made accessible to OU account holders due to a misunderstanding of privacy settings. No unauthorized party accessed any of the files mentioned in the OU Daily story except for the story’s author. As soon as OU IT became aware of this situation, the tool enabling the file search was immediately closed. All FERPA-protected files are secure.
I want to provide some background about how this situation arose. OU users can store shared files in spaces called SharePoint team sites. Certain departments store FERPA-protected data on these sites to share within their staff, which is permitted. However, in some cases, the privacy setting options of these sites were misinterpreted, inadvertently allowing access to any OU account holder.
OU’s Office 365 software suite includes collaboration tools such as SharePoint and Delve. Delve allows users to search their SharePoint files using keywords, similar to a Google search. Any SharePoint site with the open privacy setting was searchable to any user within the OU system. This is how the Daily was able to access the sensitive data in question.
OU IT immediately shut down Delve, and the service is not currently available to any OU user. Furthermore, the SharePoint sites accessed by the Daily were immediately restricted to authorized staff users only.
While there was no outside breach of our files, we understand and acknowledge concerns about the vulnerability of sensitive data. We rectified the situation immediately and can assure students that their FERPA-protected files are secure. Moving forward, we will continue to evaluate our privacy measures to ensure absolute protection of personal data.”
Stay in touch with us anytime, anywhere.
Sign up for newsletters emailed to your inbox. Select from these options: Breaking News, Severe Weather, School Closings, Daily Headlines and Daily Forecasts.