Stanford U. official ousted after keeping quiet about huge exposure of sensitive data
The chief digital officer at Stanford University’s Graduate School of Business is out of a job after failing to disclose a data breach that included confidential student financial aid records and sensitive information from 10,000 employees.
Ranga Jayaraman served as CDO at Stanford for six years before stepping down Wednesday.
The breach was made public after a business school student found 14 terabytes of confidential student data from financial aid applications in February 2017 on an unspecified public server. Stanford business student Adam Allcock reported the breach and saw the records — some of which were a decade old — removed within an hour. Public disclosure only took place on Dec. 1 after Jayaraman originally had made the decision to not disclose the breach.
In an email to colleagues seen by the San Francisco Chronicle, Jayaraman took “full responsibility for the failure to recognize the scope and nature of the … data exposure and report it in a timely manner to the Dean and the University Information Security and Privacy Office.”
After discovering the data, Allcock wrote a 378-page analysis alleging that the business school lied about how it awarded financial aid. Instead of handing it out on the basis of student need, as the school originally claimed, aid went to “non-needy” students the school wanted to attract, the Chronicle reported. The school promised more transparency as a result.
The employee information included Social Security numbers, birth dates and salaries. Employee information was from 2008, and the student data was from a broader but unspecified range of dates, the Chronicle reported. The exposure began in September 2016 and lasted until February 2017. There is no evidence the information was accessed by a nefarious party.
The Stanford incident comes weeks after it was revealed that Uber paid $100,000 to cover up the breach of 57 million records of customers and employees. In addition to numerous lawsuits and the resignations and firings of numerous Uber security employees, that incident sparked fiery attention from Capitol Hill as well the introduction of a data notification law that would pin a five year prison sentence on individuals who conceal data breaches.
“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” Sen. Bill Nelson, D-Fla., said in a statement. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what’s best for consumers, the choice is clear.”
Speaking to the San Francisco Chronicle, Jayaraman said he made the wrong choice in not disclosing the data exposure and would make a different choice today.
Update: The article previously attributed quotes to Allcock that were in fact stated by Stanford and SFGate.