Leak prompts look into Penn's computing and privacy policies
Most of the information released by the hackers falls under the category of 'directory information'
October 10, 2012, 11:17 pm·
Answers to the recent hacking incident may be found by looking through the University’s decentralized computing system.
Last Monday, anonymous “hacktivists” who go by the name Team GhostShell leaked student and faculty names, email addresses and PennCard numbers from five data tables of the Vice Provost for University Life server.
According to the leak, 322 data tables were compromised, but only information from five were released. The information was taken offline last Wednesday. According to a University press release, no sensitive information that could result in identity theft was made public.
The names of the five data tables published were “aod_user,” “coursereview_tblusers,” “lgbtc_users,” “nec_wp_users” and “OHE_FS_student.”
The affected VPUL server is not a part of Penn’s central computing system.
According to Robin Beck, Vice President for Information Systems and Computing, each school and department within the University has its own information technologies organization. “Each school is responsible for managing their own IT, what they spend and direct support of faculty and students,” Beck said.
ISC provides central support such as security awareness and response and services for local providers. It is also responsible for shared services, such as Penn Portal and Penn InTouch.
“We think of this as leveraging the knowledge of individual schools. IT organizations have their faculty and their unique academic disciplines and complimentary resources that go across the University,” Beck said. “You can almost think of it as kind of a federated model.”
Many organizations across campus maintain strict confidentiality policies due to private information they possess on students. The Office of Alcohol and Other Drug Program Initiatives, Student Health Service and Counseling and Psychological Services, for example, are VPUL organizations that hold such data and maintain such policies.
William Alexander, director of CAPS, said the CAPS system was not compromised in this incident. “Our [data] isn’t kept with the University,” Alexander said.
As of press time, AOD did not return multiple requests for comment and an SHS representative was not able to be reached.
Aaron Titus, chief privacy officer and general counsel of Identity Finder, a company which helps secure clients’ personal information, said the decentralization of university databases is necessary.
Through Penn’s ISC website, students can access Identity Finder software which can find and delete sensitive personal information stored on a personal computer.
“You have [schools] that are independent of the University, and the same is true of departments and professors. That culture of independence extends to IT security so universities are meant to facilitate that free flow of information,” Titus said.
“However, some information was never meant to flow, and that’s why it’s so difficult to secure personal information in a university setting,” he added.
Some students whose names appeared on the leaked data tables said their information might have been associated with certain VPUL organizations, but within each data table, there was no clear affiliation among the students listed.
A 2011 College graduate, whose information was listed under “aod_user,” said she had used services under VPUL — she had used CAPS once and participated in workshops with the Office of Alcohol and Other Drugs Program Initiatives.
A 2010 College graduate, who was also listed under “aod_user,” had used VPUL services as well. She received services from CAPS for three weeks but “didn’t feel this was the reason for being on the lists because I know this information is very confidential.”
Most of the information released by the hackers falls under the category of “directory information,” which, according to Penn’s Policy on Confidentiality of Student Records, includes student names, addresses, telephone numbers and ID numbers among other basic information.
The policy states this information is generally regarded to be less sensitive and “may be disclosed from records relating to a student without his or her consent if the student has not ‘opted out’ of allowing such disclosure…”
Students are given a notice every year that allows them to “refuse to permit the University to make any or all of [this information] available.”
The policy also states that the University respects students’ requests to keep their information confidential.
According to Beck, though Penn’s computing model is decentralized, the responsibility to protect the confidentiality and integrity of the Penn community is equally distributed between all of the departmental IT organizations.
“We have the responsibility for the systems we develop and support and operate,” she said, adding that individual schools are responsible for their own systems and data.
“There are separate responsibilities, but they’re shared,” she added.