Staff Editorial: Student data exposure reveals need for internal auditing
University must outline its next steps
The University’s unintentional exposure of student data is alarming. While the data exposed was not particularly sensitive, The Eagle Editorial Board is left wondering whether the University’s extensive collection of highly personal information is actually safe. AU holds a variety of sensitive data, from student financial information to medical records to social security numbers. The information made accessible through this error was AUID numbers and survey responses, which is not so damaging for students, but how can the student body feel safe in the knowledge that another mistake won’t result in the reveal of more personal data? This situation could easily have been much worse if a different set of data was exposed.
The issue occurred due to “human error,” indicating the necessity for the University to do internal work to ensure a mistake like this doesn’t happen again. This work has to start with rigorous training. If AU staff is going to regularly handle highly personal information, they need to be trained in SharePoint thoroughly enough to prevent these mistakes from happening in the future.
It’s impossible to predict how long this data would have been accessible if not for an Eagle staffer discovering it. The University should have consistent auditing of its system, i.e., people looking for this type of issue on a regular basis. If it’s so simple to accidentally widely share documents containing student information, the University should have regular reviews of its system to ensure its staff is well trained and handling data properly.
One way the University can help students feel more comfortable after allowing their data to be so widely available is by offering to issue new AUID numbers. While AUIDs are not the most sensitive information the University has, they are still an important identifier on campus, university databases and more. If students feel concerned about having their ID numbers exposed, they could be offered the option of getting a new number. The majority of the Eagle Editorial Board is in favor of a new AUID option.
As the University starts to notify students who were affected by the data exposure, it has an obligation to be transparent about the multiple mistakes made that resulted in this situation. Students deserve an in-depth explanation of what data was exposed, why it happened and what further steps are going to be taken. Whether it’s upon notification or in the near future, AU needs to detail to students a change in policy that ensures another failure like this does not happen again. It is essential that students can trust the University with such sensitive information, especially in a society where our data is constantly preyed upon.