In early September, sensitive personal information about several students was exposed by Virginia Tech through filebox.vt.edu.
A random search conducted by the Liberty Coalition, an organization that works in conjunction with partner organizations to preserve citizen's autonomy and privacy, found files on a VT server that contained sensitive information about students.
"We found this information on Yahoo, with just a simple Internet search," said Aaron Titus, an information privacy director with the Liberty Coalition. "There were a total of six files, two of them were duplicates, and three of the files contained social security numbers (of Virginia Tech students). The remainder had grades and other types of information."
The files contained information on roughly 100 people, including 12 social security numbers. The files ranged from team rosters to grading spreadsheets used by professors and were found on Tech's filebox server at filebox.vt.edu.
Many organizations devoted to personal liberties and privacy protection often conduct random searches for information that could lead to identity theft to help protect citizens from the increasingly common crime. Titus was conducting a standard search on a search engine such as Yahoo or Google, "a search that anybody can do," Titus said. One of the files that happened to pop up on the search was filebox.vt.edu.
"Filebox is the place that (the information) was all located," Titus said. "Many universities have online file repositories like this; this is neither the first time that universities have leaked information, nor is it the first time they've leaked information through these online file repositories. It's an ongoing theme."
Titus attributes the mistakes to faculty members' misunderstanding of how the filebox system works. He thinks that some users of filebox mistakenly believe that because they logged in to upload their files that somehow they are automatically protected, or that users have to have a password to upload them.
"In order to upload to filebox, you have to login," Titus said. "But you don't have to login to access the information or download it; it's available to the public."
Randy Marchany, an IT Security Lab Director at Tech, could not comment on the specific leaks of early September, but noted that such errors are not uncommon and are handled very quickly and appropriately by the university.
"Usually, it's just a misconfiguration error and as soon as we find out about it, we remove the access to that filebox until (the sensitive information) is taken down. That is the usual case," Marchany said. He added that the filebox issue in question was "resolved months ago."
"There are a number of sites that run around and try to look for places where social security numbers are displayed. Typically, if a site finds something like this, they'll notify us they found a Web site," Marchany said. "We verify that link does indeed have a social security number and usually within 24 hours the site is offline and owners are notified about the information."
Marchany said all students whose social security numbers were discovered online were notified.
"Very rarely is a leak like this malicious, with the exception of criminals," Titus said. "It is universally anywhere from stupidity, negligence, accident, mistake, any combination of them. I would hate to be a university IT specialist; essentially what you're doing is guarding massive quantities of information, but you have tens of thousands of people who can log in at will."