Following an inquiry from The Eagle in March, 2021, the Office of Information Technology (OIT) at American University (AU) became aware that certain student information had been included in a data exposure incident. The incident, which affected approximately 6000 students, 900 of which are alumni, occurred on the AU SharePoint portal.
On April 16th, 2021, students whose information was compromised in the exposure received an email from the OIT. In this email, students were told that the exposure made a “limited subset of student education records” visible to other SharePoint users with AU credentials.
According to the email sent by AU’s administration, sensitive student information such as social security numbers, financial information, grades, and transcripts were not included in the exposure. Instead, responses to a survey from freshman year were visible. One of the questions posed in this survey asked students how much financial matters affected their decision to attend, and if AU was their first choice.
“To mitigate these issues from occurring in the future, [the] OIT is implementing a periodic, automated review and reporting of our SharePoint sites,” said Vice President and Chief Information Officer, Steve Munson, in a recent statement.
In his statement, Munson claims that this step will ensure the OIT’s ability “to proactively identify situations where sites or folders are available to audience based groups such as all users logged into the myAU portal, all students, all faculty, all staff or a combination of these groups.”
Out of the estimated 6000 students affected by this data exposure, Munson says that the OIT has contacted 99% of this group to create awareness of this situation “in the spirit of transparency.” While the exposed student data is no longer accessible to other users with AU credentials, the email sent out to affected students stresses that, during the incident, “very few people” unearthed and viewed the exposed data.