University of Oklahoma Exposes Thousands of Student Documents Through Poorly Configured Privacy Settings

Media Division | June 14, 2017

As has been written about several times in our past posts, breaches continue to happen as a result of misconfigured databases and systems. A single incorrect setting can allow public access to sensitive information, which of course could potentially include those with malicious intent. This is a situation which has been occurring far too commonly, and the fact that organizations are continuing to have breaches from extremely basic security errors is just ridiculous. Basic security configurations and settings should be one of the first things that are established when storing the sensitive information of the organization and its public. Once again, there has been an exposure of personal information from this type of issue, this time regarding student data from the University of Oklahoma (OU).

Data Affected by the Breach

According to reports, the breach was a result of insecure privacy settings within a file-sharing network. OU had been notified of the breach by The Daily, who had discovered it last week. The university had then scrambled to address the vulnerability to prevent further access. The information that was able to be accessed included financial information like loans and grants for freshmen students in the years 2012-16, some names and social security numbers, visa statuses, scholarships, and more. Some of this can obviously be much more detrimental in comparison, but none of it should have been accessible either way. Fortunately, it appears that the breach was discovered quick enough to prevent malicious access, as a statement from OU press secretary Matt Epting to The Daily said, “The IT Security team has found no evidence to confirm that there has been a breach by an outside party, and is investigating the scenario that enabled an individual to access the files the individual has claimed to download.”

The Specific Error in Microsoft Delve

It appears that anyone with an email would have been able to access these documents. On the main OU webmail page, there is a link to a Microsoft Office Delve system, which allows the user to search for whatever they like, and this included all of this personal information. Delve is essentially a service that integrates with other Microsoft Office services, and displays documents that the user and others are working on, and also uses gathered data to show documents that might interest the person. Privacy settings are what determine whether documents will show up in Delve. When proper privacy settings in place, Delve can allow for integration, sharing of information, and better workflow, but when settings are incorrect, it can allow sensitive information to be displayed to all those connected.

As mentioned above, this is a matter of extremely basic security. When storing information of any level of sensitivity, security and privacy settings should be verified to be correct before uploading the data. This is all it takes for these types of breaches to be prevented.

Employment of Thorough Security to Prevent Cyber Attacks

Of course, securing stored data through basic configuration is a vital first line of defense, but there is also the matter of implementing thorough security to defend against threats that could attempt to aggressively breach. Cyber security must be comprehensive and frequently maintained to be able to properly prevent cyber attacks. Massive Alliance offers a range of tools and services that can help to fortify an organization against threats and attackers.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.