(Image source: Stanford University, 2021)
One-sentence summary:
897 Stanford Ph.D. economic applications were breached for over a month in a December 2022-January 2023 misconfiguration incident.
Who was involved?
897 Stanford Economics Ph.D. applications, Stanford University, and individual/s with “two downloads” of the breached data (Stanford University, 2023a, para. 5).
What was the timeline?
December 5, 2022: Misconfiguration started. Economics Ph.D. applicants’ sensitive application data are publicly available.
January 24, 2023: Stanford learns of the misconfiguration and immediately remediates it.
February 17, 2023: Stanford makes a public press release of the incident and begins notifying affected applicants.
What occurred?
An unknown actor within Stanford modified Stanford’s Ph.D. in economics application folder allowing public read access and exposing the data of over 897 applicants (Stanford University, 2023a, para. 7). The incident took over a month to be identified and resolved (Stanford University, 2023a, paras. 4-5).
Estimated costs:
Notification costs and IDX M-F phone support (Stanford, 2023b, para. 3).
IDX “24 months of credit and CyberScan monitoring, a $1,000,000 insurance
reimbursement policy, and fully managed id theft recovery services” (Stanford, 2023b, para. 5).
Involved laws:
Federal: FERPA.
State: California: CCPA and Cal. Civ. Code § 1798.29(a); Massachusetts: 201 CMR 17.00 and M.G.L.A. 93H § 1.
Root cause:
“misconfiguration of the folder’s settings” (Stanford, 2023b, para. 2).
Lessons learned:
Doer/checker policy. Restricting public read access modification rights to delegated individuals. Continuous vulnerability scanning and assessment. SIEM/IT alerting for new public read access folders/files. Automatic rollback configurations (e.g., Lambda & Cloudwatch Event Rule).
Commentary:
I applaud Stanford for being transparent about the incident and its root cause. However, this is not their first misconfiguration-related breach of applicant’s data: https://stanforddaily.com/2019/02/14/data-breach-allowed-students-to-view-other-students-admission-files-sensitive-personal-data/. Stanford or Stanford-related entities are also tagged in at least six other data breach incidents: https://oag.ca.gov/privacy/databreach/list. These will be covered in other breach reports.
Sources:
Stanford University. (2021, April). stanford-university-logo.png. logodownload.org. https://logodownload.org/wp-content/uploads/2021/04/stanford-university-logo.png
Stanford University. (2023a, February 17). Data Security FAQs. Stanford Humanities and Sciences. Retrieved February 24, 2023, from https://humsci.stanford.edu/data-security-faqs-021723
Stanford University. (2023b). INFORMATION ABOUT A DATA INCIDENT/NOTICE OF DATA BREACH. In mass.gov. Office of Consumer Affairs and Business Regulation. Retrieved February 24, 2023, from https://www.mass.gov/doc/assigned-data-breach-number-29059-stanford-university/download