An online MCTC directory left sensitive student data and internal documents accessible to the prying eyes of anyone with an Internet connection since at least the summer of 2006, according to an investigation by City College News.
Besides annual accounts-receivable reports and salary rosters, a database spanning the last several years of work-study records contained the names of students, their student ID numbers, the amount which they were awarded and the amount which they had earned, sorted by department.
However, college officials claimed that only names of department heads, student ID numbers and work-study awards appeared in the database. This contradicts what City College News found, but the college said that it would investigate further for other data.
The college did not keep records of who accessed the data, according to Jim Dillemuth, chief information officer of MCTC, who suggested that there is no reason to suspect that the data came under inappropriate use.
The disclosure of student data may violate the federal Family Education Records and Privacy Act (FERPA) as well as the Minnesota Government Data Practices Act (MGPDA), both of which govern how public entities handle data and how they are to protect the educational records of students.
The directory, which officials confirmed in an interview belonged to Dee Bernard, director of finance, shared a server with websites maintained by instructors and administrative staff, but it vanished from public view early last month as part of a planned technical change.
Asked whether anyone had been aware of the vulnerability prior to City College News’ investigation, Dianna Cusick, director of legal affairs, said, “No, I wasn’t aware of it. [Dillemuth] wasn’t aware of it.”
“There was definitely a decision made over the past couple of years on the budget-setting process that was in place through Finance to try to be transparent about the budget process, about the budget information and to put out information that was easily accessible to our community,” Cusick said. “So that’s what I think we were trying to do.”
She continued, “We weren’t aware of all of the reports that were being put out there.”
The college made a strategic decision to make budget information available to all who wanted to see it, she said, though it is not clear whether the college intended to make such a broad range of information available.
Some data still online
The directory, though now offline, was previously available for viewing by any inquisitive Internet user and required no special tools to access. And indeed, the technologically-inclined may still find certain data by simply visiting a search engine.
Websites like Google and the Internet Archive’s Wayback Machine constantly and indiscriminately crawl the web and store any data they find, preserving the Internet as it was at a certain point in time.
The Wayback Machine did just that. A 2006 snapshot of the unprotected directory, though without student data at the time, resides in its archive of the Internet going back to 1996. Similarly, Google has in its short-term cache dozens of more recent budgetary documents.
Security expert Adria Richards, a former MCTC student who made headlines during the 2008 election season by discovering security flaws in former Sen. Norm Coleman’s campaign website, spoke last month in Colorado on the security of increasingly digital health records. She said that organizations often get “security through obscurity,” rather than implementing secure protocols for handling data online.
Richards continued, “But that’s like hiding a loaded firearm in the garage.”
What is an educational record?
Whether the data once available online are considered “educational” was up for debate.
Budgets, salaries and accounts-receivable are public documents, according to the freedom of information chair, David Cuillier, of the Society of Professional Journalists, a national association dedicated to protecting the freedom of the press.
“The question is whether [a student ID number] is considered an educational record,” Cuillier said.
However, Cuillier has no problem with posting names and salary information. He explained that such information can ensure accountability to the public, providing a check against excessive or inappropriate compensation and other malfeasances.
“Some people might disagree, and I respect that, but I would argue, no, it should be public,” he said.
MCTC and other colleges and universities maintain their own student directory information policies, as permitted by federal and state laws.
The University of Minnesota, for example, publishes a print and online student directory containing students’ enrollment dates, e-mail address, web page, internet ID, cell phone, address and phone.
On the other hand, MCTC elects not to publish a student directory at all, though upon request, a student’s name, date of attendance, graduation, certification and field of study are “accessible to any member of the public for any review,” according to MCTC policy 4.11.
Students have the option to request in writing that the college does not make this information available.
Under that policy, Cusick explained, student ID numbers and work-study awards are private data.
The U.S. Department of Education could not be immediately reached for comment on whether student data in question are considered protected.
Although Public Safety is not investigating the exposure of student data, the college is required to notify the subjects of the data breach in “the most expedient time possible and without unreasonable delay,” according to Minnesota data practices law.
Work-study students from 2006 to the present year who are subjects of the security breach can expect to receive notice soon and are encouraged to take caution, even though it is unlikely that anybody accessed the data with ill intent.
Students who registered online accounts may have left alone their default passwords, which are either their 8-digit birthdates or the last six digits of their social security numbers. That, along with the corresponding student ID number, could give anyone access to a student’s account.
Dillemuth explained, “The [student] ID by itself doesn’t give you much. You have to have other pieces of private information to go along with it.”
“We haven’t received any complaints from students that that has happened,” Cusick said.
Officials said that the private data will remain offline, but in the future, the budget and accounting data will again have a home for public review online. This could become part of the technical updates being rolled out in preparation for a new college website next year.
In fact, according to Dillemuth, a movement in the Minnesota Management and Budget office is pushing for budget information to be made public and transparent online for all state agencies.
“We looked into it,” Cusick said. “We tried to gather some information to understand what was going on, and we were able to do that and now can take appropriate action.”