When it comes to information security, Cal Poly Pomona (CPP) looks set to get a ‘could try harder’ on its report card this year. The polytechnic university, based in Pomona, California, inadvertently emailed personal information on all of its College of Science students to almost 1,000 people late last month.
According to a report in CPP’s student newspaper the Poly Post, an employee tried to send information to 940 computer science students on 28 January as part of an advising process to help students plan their courses. In the process, the employee accidentally attached a spreadsheet containing personal information on every one of the College of Science’s 4,557 students.
The information included the students’ names and addresses, their academic standing, their email, student ID, gender, ethnicity, and their grade point average (GPA).
A student who received the information tipped off the Office of Admission and Enrollment Planning 30 minutes after the mail went out, and staff deleted the email on CPP servers within ten minutes.
The ability to delete the mail from students’ email inboxes highlights the benefit of owning both the sending and receiving addresses in an email system. Still, it wasn’t enough to stop at least one enterprising computer science student from downloading the mail and getting creative.
Over on Reddit, ‘Billy Bronco The Spy’ crunched the numbers in the spreadsheet and used a throwaway account to produce a set of infographics drilling down into student statistics.
I am one of the students who received that email and was able to download it before the IT department was able to delete the email and the attachment. While I don’t intend to do anything nasty with the information, I did see this as an opportunity to see statistics that we normally would never be able to see, and so I created these infographics to show the information that wouldn’t invade the privacy of any individuals.
As well as an overview infographic in which he details a breakdown of students’ ethnicity, academic major, and gender, he also produced a separate slide called the Bronco Awards with some fun stats about specific majors:
He vowed not to reveal any individual student details, adding:
Invading the privacy of everyone to get this data is enough, that should be enough for you too.
CPP, which hasn’t posted anything about the incident on its website or social media accounts, didn’t immediately return our request for comment. However, the Poly Post quotes staff saying that the personal information cannot be used to log into students’ accounts.
The university won’t reveal its plans to address staff access privileges to information in the light of the breach, but it did tell the Post that it plans to introduce a system called CPP Connect. This will reportedly eliminate the need for mass emails during the advising process. However, it will still use listservs to communicate with the broader campus community.
When it comes to data breaches, this isn’t CPP’s first rodeo. In 2003, it mistakenly put information about 355 student applicants in a publicly accessible folder that went undetected for five years.
When the breach was discovered, then-CIO Stephanie Doda said:
We take the protection of personal information very seriously.
In 2011, a staff member put two files containing 38 faculty members’ personal details on a server without realising that it was publicly accessible.
At the time, university spokesperson Tim Lynch said:
We do see these as opportunities to address any issues out there.
With this third disclosure of information through employee error, Redditors didn’t seem especially impressed with the University’s assurances that it had things under control:
In 2015, hackers compromised nearly 20,000 CPP student records in another breach, which wasn’t the fault of CPP staff. The intruders infiltrated networks at We End Violence, a contractor that provided a state-mandated “Agent of Change” sexual assault prevention training class to students at CPP and other institutions.