A few weeks into his first year in 2021, Andrei Thüler logged into my.UChicago to download his class schedule to add to his calendar. But something caught his eye: the download URL contained his student ID. At the time, it didn’t seem like an issue.
It wasn’t until 2024—after taking several data science courses—that Thüler realized replacing his ID in the URL with another allowed access to other students’ class schedules without requiring additional authentication. In a data ethics seminar, he further explored the implications of a possible breach and grew concerned that the issue could expose students to potential harm, such as stalking.
“All faculty have access to their students’ IDs, and students frequently give them out to RSOs and other third parties for identification,” Thüler wrote in his report to the University on November 11. “Having knowledge of a Student’s ID number shouldn’t entitle them to know a student’s entire whereabouts.”
The University fixed the bug within hours and later agreed to a meeting. On January 16, Thüler met with Matt Morton, the University’s chief information security officer, to discuss his concerns. According to Thüler, Morton informed him that a review of the previous two years of download logs showed no indication of a large-scale breach.
In a statement to the Maroon, the University stated that “there is no evidence that identifiable student data was publicly exposed as a result of the flaw.” However, the University did not respond to the Maroon’s requests for further details, including how it monitors access to individual calendars. It also did not clarify how long the vulnerability had existed before 2021, or whether any breaches could have occurred prior to the last two years.
After his meeting with Morton, Thüler disclosed the vulnerability to the Maroon in mid-January.
Morton initially agreed to an interview with the Maroon but later canceled, citing scheduling conflicts. Morton did not respond to multiple follow-up requests to reschedule.
“Every mechanism that shares your personal information should be going through a process that authenticates it as consistent with the ID you are logging into,” said Ben Zhao, the Neubauer Professor of Computer Science at UChicago, in an interview with the Maroon.
In a statement to the Maroon, the University said that “the Information Security team in IT services works to protect University data from outside threats by establishing, monitoring, and documenting cybersecurity functions and procedures across campus.”
The University’s Information Security Policy requires careful monitoring to prevent unauthorized access to restricted information as defined by the University and the Family Educational Rights and Privacy Act (FERPA), including courses taken by students. However, even with strong policies, vulnerabilities can go unnoticed for long periods.
“It is sometimes tricky to find all the potential loopholes… [but] it’s absolutely within the expectations of what security people should do,” Zhao said. “This should have been done and wasn’t done properly.”
The University did not respond to questions about its current security audit practices and whether it conducts routine checks for FERPA-protected data.
The University did not release a notice to students regarding the vulnerability.
“The question is—obviously this shouldn’t have happened, but how often [do data vulnerabilities like] this happen?” Zhao said. “Unfortunately, this happens a fair bit.”
To report a possible compromise or other data security incident, contact the University IT Services Security team at security@uchicago.edu or (773) 702–2378.
Editor’s Note, March 25, 9:15 a.m.: This article has been updated to clarify the University’s statement and response to further questions from the Maroon.
