Security concern with student personal data flagged to admin last spring
September 20, 2024
Late last spring, a Bowdoin student discovered and reported an instance in which current and former students’ personal information—including a limited number of students’ medical records—was placed in a digital folder broadly visible to users with Bowdoin credentials logged in to the “Microwave,” the College’s shared file storage server.
After realizing the type and sensitivity of the information he had been able to access, Mason Daugherty ’25 said in an interview with the Orient that he reported what he had found in an email to College administrators. Later that same day, he was no longer able to access the folder containing the information.
When connected to the campus network, users with Bowdoin credentials can access the Microwave server and see its folders. Daugherty, who briefly worked for Information Technology (IT) in his first year, noted that users are only able to access folders to which they have been granted access through different offices or organizations.
“Each user has privileged access to certain folders based on what they should see and shouldn’t see,” he said. “Depending on what you do at the College, different employees have access to certain folders.”
On April 22 of this year, Daugherty noticed that he had access to a folder in Microwave that he was not familiar with and accessed it.
“I walked into an open door,” he said.
Inside the folder, Daugherty said he found medical records of around a dozen students dated from 2018 to 2020. He also found a spreadsheet containing the personal information of Bowdoin students dating from the 2022–23 academic year. Daugherty said the spreadsheet included students’ home addresses, campus residence and personal phone numbers, among other fields.
“[It was] stuff that would show up in Polaris only to those people but not to everybody else,” Daugherty said of the information contained in the spreadsheet.
Daugherty said that one column in the spreadsheet was labeled for students’ Social Security numbers but that the column’s cells were left blank.
After realizing the nature of the information he had been able to access, Daugherty wrote an email alerting College administrators, including Chief Information Officer Michael Cato and then-Senior Vice President and Dean for Student Affairs Janet Lohmann.
“[Administrators] addressed it by the end of the day,” Daugherty said. “As far as I could tell, they had made that folder private.”
The length of time during which the folder had been accessible to users is unclear.
Cato acknowledged the incident in an email to the Orient.
“In April, IT was notified of a security event that was investigated, the technical issues causing it were addressed and the processes outlined in the Written Information Security Program (WISP) were followed. An industry standard framework that many states now require, the WISP was developed to formalize our Information Security policies and practices,” Cato wrote.
Cato and Chief Information Security Officer Jeff Doring both declined to comment further on any specific security incident in an interview with the Orient.
According to the security plan referenced by Cato, the College follows an Incident Response Plan in the event a data breach legally requires notification of affected individuals. Doring wrote in an email to the Orient that the Incident Response Plan is not publicly available, citing security concerns.
Doring added that the chief information security officer, a role which he currently holds, is responsible for the immediate response to a security incident.
“Securing assets and containment are priorities,” Doring wrote. “The type of incident will dictate the scope of the response and actions taken.”
The incident reported by Daugherty is not included in the WISP’s definition of a breach: “A good faith but unauthorized acquisition of personal information … is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.”
When asked about how IT assesses the risk of a security incident, Cato identified three factors.
“The major considerations start with the data itself (e.g., sensitivity and volume), the scale of the incident and the indications of inappropriate access,” Cato wrote.
Cato added that these factors would determine whether or not people whose data was involved would be notified, adding that Maine law becomes a consideration if sensitive data like credit card information or Social Security numbers were exposed.
Daugherty said that he met with IT staff members after reporting the incident and felt they were taking steps to remediate it, though he added that administrators would not clearly answer how they would prevent similar incidents in the future.
“I asked them about what they would do to ensure that this doesn’t happen again, and there wasn’t a clear answer on that,” he said.
Daugherty later elaborated in a message to the Orient.
“A folder that should have been secured by IT wasn’t and was left open for an indeterminate amount of time prior to me noticing it,” Daugherty wrote. “I’m happy that IT was able to take steps to promptly resolve the issue, and I dearly hope they take the necessary steps to ensure that something like this can’t happen again going forward.”
When asked about top security concerns in IT, Doring emphasized external risks like phishing attacks, noting that a Bowdoin account compromised by a malicious actor—rather than a user with Bowdoin credentials—is among the more challenging scenarios.
“Unauthorized access of internal systems by external parties and external exposure of internal data are among the most serious,” Doring wrote.
Cato emphasized that information security at Bowdoin is a collective responsibility shared by IT and individual users.
“While IT has responsibility for securing systems and tools, the choices we make as community members are important as well,” Cato wrote.
Comments
Before submitting a comment, please review our comment policy. Some key points from the policy: