Stanford official resigns after failing to disclose 2016 data breach

Stanford University’s chief digital officer has resigned after failing to disclose a data breach of student financial aid information and the personal information of thousands of employees. Ranga Jayaraman served as Stanford’s CDO for six years before stepping down Wednesday.

The breach dates back to June 2016, according to a statement from the university. But the school wasn’t aware of the breach until February 2017, when business student Adam Allcock found a trove of sensitive data on a public server and reported it.

The data Allcock uncovered included 14 terabytes of confidential information from student financial aid applications. As the university investigated, it also discovered a public file containing the personal information of 10,000 employees. The breach wasn’t publicly disclosed until Dec. 1. Jayaraman, who also served as associate dean of the business school, had originally decided not to disclose the breach.

“I take full responsibility for the failure to recognize the scope and nature of the … data exposure and report it in a timely manner to the Dean and the University Information Security and Privacy Office,” Jayaraman wrote in an email seen by the San Francisco Chronicle.

While the financial aid breach was patched immediately, Allcock managed to download the financial aid data to analyze how the business school made financial aid decisions. He wrote a 378-page report alleging that the university has been deceptive in saying that it only awards need-based financial aid to students.
Allcock argued that, instead,
Stanford has been awarding financial aid with a bias for women and
students with finance backgrounds, and against international students, the Chronicle reported.

The employee information included Social Security numbers, birth dates and salaries from 2008 and was secured by early March. The student data came from a wider but unspecified range of dates, the Chronicle reported.

The way organizations respond to and disclose data breaches has come under public scrutiny recently in the wake of several high-profile breaches, including revelations that Uber paid $100,000 to cover up a year-old breach of 57 million records of customers and employees.

For more information about the breach and resignation, read CyberScoop’s full coverage here.

Correction: Due to an error repeated from
SFGate’s original reporting, a previous version of this story misstated Adam Allcock’s
analysis of the student aid. Allcock said Stanford was biasing the student aid
process against international students, and in favor of those with backgrounds
in finance, as well as women.