School data on insecure Web site since '02
Personal information belonging to almost every one of AU's 13,000 computer network users has been available to anyone on the Internet for about a year and a half through a series of loopholes in the my.american.edu Web portal.
University officials were informed of the problem by The Eagle last Monday and were given a week to address the issue prior to the publication of this article. The problem has been solved and, to the best of their knowledge, no information has been compromised or used, University officials said yesterday.
"We understand that people are very uncomfortable whenever this sort of thing happens ... and we are very, very confident that we've resolved it," said Carl Whitman, executive director of e-operations, the University office that oversees much of AU's technology infrastructure, including the my.american.edu portal.
The information available online as a result of these loopholes included student names and their corresponding Social Security numbers, AU IDs and dates of birth, student and parent tax filings, admissions applications, transcripts and other documents, financial aid documents, contact information and data on donors to the University. This included but was not limited to amounts of gifts and development office notes, room scheduling, system username, password and access level data and more. The pages available were mainly lists of information, and though some pages allowed a site visitor to navigate to other sensitive areas, most of the compromised pages did not allow a user to alter information already online. Personalized information such as grades and employee pay data do not seem to have been available through the loopholes.
"Our foremost concern is for the integrity of any personal information that may have been compromised," Whitman said. "We have no indication that information has been compromised or used. If the University is aware that personal information has been compromised or used, we will notify the community and any affected persons."
University officials are now in the process of reviewing access logs as far back as August 2002, when the current portal system was introduced, in search of any improper access, Whitman said.
"The vulnerability documented by The Eagle has been present in the portal since Aug. 28, 2002.
It is the result of significant design changes and the addition of new features to the portal that were first implemented on that date," Whitman said, adding that some sensitive features were available since that time, while others were available more recently. Information on donors, admissions and financial aid documents was only available this past fall.
Thus far there has been no portal downtime as a result of the problem, Whitman said, though he noted that some individual applications were temporarily disabled while their exposure to the loopholes was assessed.
The three loopholes discovered relate to some of the data of 239 programs contained within the portal, and to the level of clearance a site visitor needed in order to view or access them. The first loophole allowed anyone on the Internet to access certain pages without having to log in to the my.american.edu system. This was possible by simply typing in the Web address - known as a URL - of the desired page. Most URLs on the portal look something like this: http://my.american.edu/external.cfm?ID=1, which would take a user to a course registration page. Changing the number at the end of the line, however, could send a user to a totally different page, often one to which access was supposed to be restricted. Some of the pages available online through this method included applications for admission and documents submitted to AU during that process, financial aid documents, benefactor information, and capital project budget numbers. It was also possible to edit the message displayed on the portal's welcome screen.
If logged into the system, though, other pages became visible, including more admissions information, room scheduling data, and apparent control over all 13,000 system users, their passwords and access privileges. Also, anyone had the ability to edit the text of the www.american.edu main page.
Though many of these pages required either enough knowledge of the loopholes to change the number at the end of the URL or the happenstance of making a typo and being sent to the wrong page, a number of supposedly restricted features were also available through the portal's search feature, which has since been removed. If a site user did not enter any text into the search window but clicked the "Search" button, a list of every accessible page appeared, including admissions and prospective student information.
University officials were made aware of the problem last Monday afternoon and responded quickly. The problem was fixed before the afternoon was over, Whitman said, and the relevant administrative and cabinet officials were notified either that day or the following morning. Within a day, that list would include Vice President of Finance Don Myers, Vice President and General Counsel Mary Kennard, Provost Neil Kerwin, Chief of Staff David Taylor, Executive Director of Risk Management and Safety Services Pat Kelshian and others. By Tuesday afternoon, the University had contacted its internal auditing firm, Protiviti, to arrange to have network security audited, and were already searching access logs for any improper access. Though the University has logs of most site access, they had not been aware of the gaps in portal security because the logs are intended to provide a history of site access and not necessarily to alert administrators to improper access itself, Whitman said.
"We took the issue very seriously and by Tuesday morning had mobilized all the folks that could be of assistance, to address the issue and protect the institution," Myers said. "Anything that comes in like this that we think puts the University at risk, we're going to mobilize everyone we can."
A week after first tackling the problem the University does not believe that the loopholes have been used maliciously or that information has been stolen as a result of the issue, though access logs are still being searched for any improper access. Also, University officials are confident that none of the data online has been altered.
"We're totally confident in the integrity of the data online itself," Whitman said.
While Whitman is glad that the loopholes seem to have been fixed by last Monday night and believes the site to now be secure, he said that the University will carefully examine the results of the security audit already underway. There are four technicians from the auditor on-site now, he said, and their investigation should be complete within several weeks.
Though the potentially compromised pages contained extremely sensitive information, Whitman noted that thus far no damage seems to have been done and that the problem could have been worse.
"Clearly what you could do was bad enough, but there were a lot of pages that you couldn't see," Whitman said. "You couldn't look at payroll data, you couldn't look at grades. The issue is with these lists of data ... and any links from them."
Whitman said that the loopholes should have been foreseen, and that "more rigorous testing [of the site] would have revealed the problem."
Responsibility for the security lapse ultimately lies with him, he said, even though portal developers and network security staff manage the day-to-day duties of portal administration and security. Whitman declined to say whether any of that staff would be held responsible for creating the problems or for not finding them sooner.
AU is not the first school to have had confidential information made available through a hole in network security. In the past year alone, George Washington University faced embarrassment when a professor accidentally placed student Social Security numbers online (GW uses Social Security numbers as student ID numbers), New York University students involved in intramural sports found their Social Security numbers on a private Web site, the University of Kansas fell victim to a computer hacker and Georgia Tech's box office was hacked and credit card information was stolen. The main difference with AU is that, thus far, no information seems stolen or altered as a result of AU's security oversight.
Todd Sedmak, director of Media Relations, said that while the University is still learning from the episode, students should take the opportunity "to play their proper role in security, if it's changing a password or seeing something untoward and reporting it."
With the problem seemingly solved, Whitman said that it's important to reassure the AU community of the network's security.
"The University regrets this situation and the concern that this may cause our community. The portal flaw has been fixed and we are confident in the security protections in place," he said.
That said, Sedmak notes that anyone concerned about having been the victim of identity theft could refer to either http://www.consumer.gov/idtheft/ or the Department of Education's Web site on the subject, accessible from http://www.ed.gov/misused.