Human error caused a massive leak of personal information of all active students in the College of Science. On Jan. 29, the campus community was notified via email of the leak.
The incident occurred Jan. 28 when a university employee within the Computer Science Department intended to send an email containing advising information for 940 computer science students.
Inadvertently, the employee also attached an Excel spreadsheet containing personal information of all 4,557 active students in the College of Science.
“It was a case of human error,” said Tim Lynch, associate vice president for Strategic Communications. “It was somebody making an honest mistake. Significant mistake, I’m not minimizing that, but it was just an honest mistake … I have to know this person wishes more than anything to have taken it back.”
Information including names, addresses, academic standing, CPP email, Bronco ID, gender, ethnicity, GPA and other data was included in the spreadsheet, but no Social Security numbers or dates of birth were leaked, according to Lynch.
Jessica M. Wagoner, senior associate vice president for Enrollment Management and Services, added that the information cannot be used to log in to any student’s emails or change passwords.
She said university officials found out about the leak because a computer science student who received the email contacted the Office of Admissions and Enrollment Planning around 30 minutes after the email was sent.
According to Wagoner, action was taken within 40 minutes.
“The action within the hour was that we were able to contact IT (Information Technology) and delete the emails.”
There is no way of knowing to what degree the information it contained was saved or distributed because the email was sent around 40 minutes before it was deleted.
A Reddit user who downloaded the leaked data before the email was deleted created detailed infographics based on the data but omitted any individual identifiable student data.
“Once it goes off our platform, we lose custody of that chain of information,” Lynch said.
Lynch said the university declined to share the identity of the person who leaked the information as he believes nothing would be resolved by releasing the identity of the individual.
Sylvia Alva, provost & vice president for the Division of Academic Affairs, said access to high levels of personal information is not widespread among university employees. Access is granted through a yearly approval process, but she could not speak to whether or not the leaker’s access to it was revoked.
Whether the leaker faced any disciplinary action is not known at this time, but the university is in the process of making changes to the way personal information is handled.
One of those changes is the implementation of CPP Connect, a new advising software that will eliminate the need for mass listservs, electronic mailing lists like the one the leaker used, in advising services.
According to Alva, CPP Connect would be used for advising purposes, but listservs will still be used to to communicate with the campus community.
“We’re going to have to think hard and roll out some more training for advisors and other users of CPP Connect so people have a deeper understanding of the power of these tools but also the importance of protecting data and the confidentiality of students,” she said.
Alva said the university is looking into several ways to avoid similar incidents in the future.
Alva mentioned a secure cloud could help protect data and she acknowledges more should be done to protect student information.
This is not the first time student data has been compromised.
According to NBC, in 2009, 675 people who applied to the university in 2001 were informed that names, addresses, phone numbers and Social Security numbers stored in an old server scheduled for replacement in 2009, were found by a student Googling himself.
The data was removed by the university.
In spring quarter 2015, students again were informed that their personal information could have been disclosed when a security breach targeted We End Violence, the vendor that provided a sexual assault prevention class called “Agent of Change,” that all students were required by law to take.
According to PolyCentric, the university-sponsored news center, the data included student names, Bronco IDs, email addresses and Agent of Change passwords.
Seven CSU campuses may have also been affected by the data breach.
Tatiana Vargas, a fourth-year zoology student in the College of Science, shared her thoughts on the leak.
“I was kind of scared because they said that our address was being given out. And that’s my home address and it’s kind of scary like … [they] know where I live now.”
Vargas is still shocked that it happened in the first place.
“I hope it’s a lesson to everyone; professors and students should double-check their emails,” Vargas said. “It’s not right to leak that information.”
Steven Orrick, a fourth-year biology student with an emphasis in zoology, agreed the mistake was ridiculous.
“I think it’s a little bit absurd that someone can make a mistake that big,” he said. “I’m not particularly concerned about the information that was leaked. What concerns me is that they did let our information slip out, period.”
College of Science students are encouraged to reach out to the Office of the Registrar, Bronco Advising Center or Counseling and Psychological Services with their questions and concerns regarding the leak.
Feb. 6, 2019, 11:12 a.m.: Due to an editing error, a previous version of this story incorrectly stated that CPP Connect would not be used for advising while in fact its main goal is to aid in advising efforts. The story has been updated.