Indiana University exposes sensitive student data | Cybernews
Indiana University exposes sensitive student data
Updated on: 22 May 2023
Jurgita Lapienytė
Jurgita Lapienytė
Chief Editor
Indiana University research
By Cybernews
Indiana University has leaked confidential Beginning College Student Engagement Survey (BCSSE) data.
Each year, hundreds of institutions across the US and Canada ask their first-year, transfer, and older students to participate in a survey about their prior academic and co-curricular experiences. They also ask them to share their expectations from the coming year.
The survey isn’t anonymous – students are asked to enter their full names and student card numbers. What’s more, participants are asked to specify where they’re going to live during their studies, their sexual orientation, race, and ethnicity. Some of the questions are designed to learn about the psychological well-being of the students.
Indiana university survey
While the study is not anonymous, it’s supposed to be confidential, and only structured data is shared publicly. For example, the BCSSE in 2021 revealed that over 50% of incoming students felt mentally and physically exhausted, and 20% felt desperate.
Naturally, a survey asking students to provide personal data and deeply private thoughts needs to be highly secured. However, that’s not always the case.
What did the Indiana University leak?
The Cybernews research team discovered that one of the institutions participating in the survey – Indiana University – failed to protect the BCSSE survey data.
Our researchers stumbled upon two unprotected Azure Storage blogs with over 1.3 million exposed files.
The documents, which the public shouldn’t be able to access in the first place, contained confidential BCSSE data: student full names, card numbers, and their answers about academic background and performance.
“Because the survey is designed to help advisors understand how students are performing and in what areas they might be facing challenges, it’s important that students feel encouraged to answer honestly to the survey questions. With their answers being publicly available, there’s the potential risk of students of either abstaining from taking part in the survey or not feeling comfortable in submitting truthful answers,” Cybernews researchers warned.
Since hundreds of institutions administer the survey locally on their campuses, a leak like this could discourage students from taking the survey in the future amid privacy concerns.
Is my data safe?
In an attempt to help the university secure sensitive data as soon as possible, our research team quickly informed it about the leak. The dataset is now secured.
The university told Cybernews that its Information Security Office was “actively working with institutional partners to address the outcome of a potential data exposure that resulted from a third-party vendor’s misconfiguration.”
“Immediately following discovery of the exposure, IU worked with the vendor to secure the storage locations and is confident the data does not include information that can be used for identity theft or financial fraud. IU is conducting a thorough review of the incident to prevent a recurrence, with a specific focus on third-party vendor risk,” their email to Cybernews reads.
Updated on: 22 May 2023
Jurgita Lapienytė
Jurgita Lapienytė
Chief Editor
Indiana University research
By Cybernews
Indiana University has leaked confidential Beginning College Student Engagement Survey (BCSSE) data.
Each year, hundreds of institutions across the US and Canada ask their first-year, transfer, and older students to participate in a survey about their prior academic and co-curricular experiences. They also ask them to share their expectations from the coming year.
The survey isn’t anonymous – students are asked to enter their full names and student card numbers. What’s more, participants are asked to specify where they’re going to live during their studies, their sexual orientation, race, and ethnicity. Some of the questions are designed to learn about the psychological well-being of the students.
Indiana university survey
While the study is not anonymous, it’s supposed to be confidential, and only structured data is shared publicly. For example, the BCSSE in 2021 revealed that over 50% of incoming students felt mentally and physically exhausted, and 20% felt desperate.
Naturally, a survey asking students to provide personal data and deeply private thoughts needs to be highly secured. However, that’s not always the case.
What did the Indiana University leak?
The Cybernews research team discovered that one of the institutions participating in the survey – Indiana University – failed to protect the BCSSE survey data.
Our researchers stumbled upon two unprotected Azure Storage blogs with over 1.3 million exposed files.
The documents, which the public shouldn’t be able to access in the first place, contained confidential BCSSE data: student full names, card numbers, and their answers about academic background and performance.
“Because the survey is designed to help advisors understand how students are performing and in what areas they might be facing challenges, it’s important that students feel encouraged to answer honestly to the survey questions. With their answers being publicly available, there’s the potential risk of students of either abstaining from taking part in the survey or not feeling comfortable in submitting truthful answers,” Cybernews researchers warned.
Since hundreds of institutions administer the survey locally on their campuses, a leak like this could discourage students from taking the survey in the future amid privacy concerns.
Is my data safe?
In an attempt to help the university secure sensitive data as soon as possible, our research team quickly informed it about the leak. The dataset is now secured.
The university told Cybernews that its Information Security Office was “actively working with institutional partners to address the outcome of a potential data exposure that resulted from a third-party vendor’s misconfiguration.”
“Immediately following discovery of the exposure, IU worked with the vendor to secure the storage locations and is confident the data does not include information that can be used for identity theft or financial fraud. IU is conducting a thorough review of the incident to prevent a recurrence, with a specific focus on third-party vendor risk,” their email to Cybernews reads.