May 27, 2005

Private records discovered on server

Students recently found confidential, unprotected information on the Krypton server—which hosts the bulk of the University's webpages—sending adminstrators scrambling to find out where the files came from. Information included students' social security numbers (SSNs), grades, and comments on financial aid applications in some cases.

A third-year student in the College and web-developer—speaking under condition of anonymity—was aimlessly looking through available files on a UChicago server on November 12, 2004. He stumbled upon a folder from the administration containing the personal and confidential information of students enrolled in the University.

This was the first in a string of events that have exposed vulnerabilities in the Krypton server, which allows any webmaster of a University webpage access to confidential material without stealing, hacking, or exploiting their privileges. Student webmasters have been able to locate and open Krypton files from the internet containing student SSNs, CNet IDs, and immunization statuses, among other information. It is not known which administrative offices originally produced the files.

The student first found Excel files containing the immunization records of enrolled students, both undergraduate and graduate, and then found spreadsheets containing autumn quarter 2003 grades of all students, and the SSNs of all alumni from 1990 to 2002. Upon finding the files, the student, who works for Residential Computing Services, notified Network Security and Enterprise Network Server Administration (NSENSA). Networking Services and Information Technologies (NSIT) immediately reported that the file had been removed.

This was not the end of the problem. The student and a friend of his, Nick Poulos, a fourth-year in the College and the webmaster of the Scav Hunt and College Bowl pages, found more confidential student material both on Krypton and on the internet, including a spreadsheet on the Krypton server accessible to webmasters containing the SSNs of all students enrolled in the University as of autumn quarter 2002. According to the student and Poulos, these files would have been available to any Chicago webmaster both on and off the campus network.

"Student webmasters need to be able to upload their pages to Krypton, and currently we have this ability," Poulos said. "However, they can currently also inspect the great majority of the rest of the files on Krypton—including those with sensitive personal information. Not only should students not have access to these files, these files should not be there in the first place."

The student said he alerted administration and NSIT about the confidential files each time he encountered one, generally with quick response to the particular problem. In his latest e-mail to NSIT security and several administrators, the student addressed the spreadsheet and eight other files containing restricted student data, sent Monday, May 16. "I asked them what possible reason could there be for data like this to be on the campus web-server anyway," the student said. "And then last Monday, the file was taken off. But then sometime between Tuesday (May 17) and Saturday (May 21), the permissions must have changed again, because the file was available again."

Bob Bartlett, director of NSIT, said he thought the files were erased after notification from the anonymous student. He was surprised that the spreadsheet had become available again and did not know why the files were on Krypton in the first place.

"The immediate part of the solution is to remove the files; they shouldn't have been there at all," Bartlett said in an interview. "The second part is to lock out access to the Krypton system until we are certain that all the files containing sensitive information is gone. And there are 656,000 files on this system, each created by different people."

SFTP access to the web server, which developers use to get on Krypton, has been shut down as of today, while NSIT searches for the files. According to Bartlett, NSIT is also designing a wrapper—essentially a means of closing a site to all eyes but the programmer's—this week to restrict web-developers to their site only, so that they cannot view other files. Bartlett said that NSIT would also enforce a new policy requiring all developers to remove any sensitive data on Krypton or any public server. Developers who recertify their sites will need to review and state there is not sensitive information on the website, or else it will be closed on the server.

Gregory Jackson, the vice president and chief information officer of NSIT, said that the University's confidentiality policy explicitly requires strict adherence to security procedures for storage, procurement, usage and/or transmission of sensitive data involving student, staff, or financial information.

"If personal and/or financial information on individuals is stored on computers or transmitted over networks on or off campus, the individuals or offices authorized to do this must take active, reasonable steps to ensure that the data cannot be intercepted or acquired by unauthorized individuals," Jackson said in an e-mail to the TechTalk listhost. "Specifically, for example, if personal and/or financial information is stored in a database or other file on a computer, access to the data must require more than simple access to the computer—so that it will be protected even if the computer is, for example, stolen by a malefactor."

Brian Hinkle, a second-year in the College and a Resident Computing Assistant (RCA) had not seen the confidential files, but had heard about the vulnerabilities. Hinkle said Jackson's e-mail defined the vulnerabilities in Krypton as violations of the confidentiality policy because the machine should have been regulated to keep its data secured.

"In absence of explicit permission from the administration, this type of sensitive data cannot be employed unless it is used on a day-to-day basis," Hinkle said. "And even if Krypton was a secured machine, no one should have had permission to put them on the server or have had been able to download them."

Hinkle alluded to the Family Educational Rights and Privacy Act (FERPA), passed by Congress in 1974, which limits how students' personal information may be released publicly by an educational institution. He said that since the University's confidentiality policy is designed specifically to be compliant with FERPA, files disseminating data like SSNs is also in violation of FERPA.

"FERPA demands that sensitive data cannot be used unless it is for a day-to-day basis," Hinkle said. "Furthermore, the extent to which the data is used must be restricted as much as possible."

The files divulging students' immunization and insurance records without their consent could also be in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which protect health records of patients.

Currently, NSIT is working to fix the security on these files. As of May 23, the file containing all SSNs of students in the college since 2002 has been deleted from Krypton. Another spreadsheet, which was available over the web, containing data on students registered for classes in summer quarter 2003, has also since been taken down.

"In this situation, the files were not as protected as they should have been," Bartlett said. "But, the network is going to be more secure and restrictive now than other colleges'. Definitely the server is going to be better than before they reported this to us."

Status updates on the problem will be available at, Bartlett said.