A student at Western Oregon University who accidentally discovered a file containing personal data on a publicly accessible university server and then handed that data over to the student newspaper has narrowly escaped being expelled for his actions.
But a contracted adviser to the newspaper has been dismissed for allegedly mishandling the data and for failing to properly advise the students on the university's policies relating to handling of personally identifiable data.
Brian Loving, a student at WOU, stumbled upon a file containing the names, Social Security numbers and grade point averages of between 50 to 100 students on a publicly accessible university server in June. Loving downloaded a copy of what he discovered and handed it over to the Western Oregon Journal, the campus newspaper.
After making a copy of the file, the newspaper's editor and Loving then informed the university about the security breach. Though the paper's final publication date for the academic year had already passed, it decided to publish a four-page special report with an article describing Loving's discovery. No names of any of the students were published in the article.
The episode triggered an internal investigation at WOU. It also prompted campus officials to send IT staffers into the paper's closed newsroom and search newsroom computers for copies of the file that may have been stored in those systems.
Two months into the investigation, Loving -- who is now a staffer with the newspaper -- was found to have broken a university computer use policy that prohibits unauthorized people from accessing confidential files that may have been inadvertently placed in a publicly accessible location. On Sept. 28 he faced a disciplinary hearing over the incident.
Mark Weiss, the university executive vice president of finance and administration, on Wednesday cited student confidentiality and refused to describe the outcome of the hearing. But he denied that Loving had ever been expelled as a consequence for his action, as some local media outlets suggested.
Weiss also confirmed that Susan Wickstrom, who had been an adviser to students working at the newspaper, is no longer in that position since the university chose not to renew her contract. He did not say if the reason for the non-renewal had anything to do with Loving's security breach incident report.
A source at the university who wished to remain anonymous said that Wickstrom's contract was not renewed because of her failure to advice students against making copies of the exposed file and for her failure to advise them about the school relevant computer use policies.
"This was not a freedom of the press issue at all," Weiss said. The school newspaper should be able to write on any topic it wants to, he said. Similarly, "the issue is not that the student discovered a file that contained confidential information. For that we are grateful," said Weiss who also expressed gratitude to Loving for discovering a vulnerability the university had not been aware of up to that time.
Rather, the problem had to do with the manner in which the information was handled after it had been discovered, Weiss said.
"Once confidential information is discovered, we don't expect people to be downloading copies of that information and giving it to other people," he said. "He mishandled copies of the file," Weiss said of Loving. "People who know this shouldn't be done should be advising students on what the right thing to do is," he said in an apparent reference to Wickstrom.
Weiss also defended the university's decision to send IT staffers to search for copies of the file on newsroom computers at a time when the newsroom was locked. "The last issue of the student newspaper had already been printed. We asked [newspaper staffers] for the files that were copied to be returned," Weiss said. When the newspaper did not respond, IT staffers went in to retrieve any files that might have been copied and stored on newsroom computers, he said. At the time when the IT staff went in the newspaper offices had been shut down for the summer, he explained.
He also maintained that the university had a right to look for the files on newsroom computers because the systems were owned by the university. "We considered whether or not it was appropriate to enter, look for and take those files that were taken from our systems and we concluded that it was appropriate," Weiss said.
Weird Times for Whistleblowers
The incident is similar to others in which individuals who discover or publicly disclose data braches at their places of work end up being in trouble themselves. Just last month, a former IT employee again working in Oregon but with Providence Health System, filed a wrongful termination lawsuit against the organization claiming he was fired in Feb 2006 simply because he reported a data theft to local law enforcement.
Even more recently, a St. Louis-based IT worker for The Boeing Co. claimed he was fired by the company for speaking with a Seattle newspaper about ongoing information security challenges at the company. A report in the Seattle Post-Intelligencer quoted a Boeing spokesman as saying that company had clear guidelines regarding the release of information outside the company and every employee was expected to follow those guidelines.
In yet another similar incident, a New Mexico jury awarded $4.3 million in damages to Shawn Carpenter a former network security analyst at Sandia National Laboratories. Carpenter had filed a wrongful termination lawsuit against Sandia after he was fired from the lab for disclosing details of an internal security breach with the FBI and others.
This story, "Student Who Uncovers Breach Escapes Expulsion" was originally published by Computerworld.