A misconfigured privacy setting on San Jose State’s Google Groups feature leaked private information, a Spartan Daily investigation found. Partial social security numbers, addresses and other confidential information were accessible to any student or faculty member with an sjsu.edu email address.
After being reported to SJSU Information Technology on June 3, the university changed permissions later that day to remove access.
Google Groups hosts over 3,000 mailing lists for the university. Each mailing list can have its own privacy option, with choices including posts being just visible to list members, or being visible to the entire SJSU organization.
Mailing lists that handled the IT password reset queue and Student Union Human Resources, among others, were set to being visible to the entire SJSU organization.
Any student or faculty member with standard permissions could find and view posts that contained private information.
A series of emails with password reset requests from students exposed their birthdays, addresses, and partial Social Security numbers.
The switched off privacy setting revealed screenshots of students’ payroll information and a scan of a passport in a messaging group related to faculty led programs.
The payroll screenshots showed individual students’ hiring and termination dates, their salary, time cards, and partial Social Security numbers.
The Spartan Daily also found discussions that were likely intended to be confidential between SJSU staff members about how to identify students that were cheating on assignments.
Other staff members used a visible mailing list to discuss candidates for an open job, including their evaluations of each individual candidate that applied and was interviewed, and then whether the candidates they extended offers to accepted them.
In a statement, Bob Lim, SJSU vice president for information technology and chief information officer, wrote that after being notified by the Spartan Daily about the leak, “The IT division immediately initiated a review. As a result of the review, by the end of the day on June 3, IT changed Google Group settings so that only Group members had access to Group content.”
The review is still in progress, and the university plans to release more information once it is completed, Lim wrote.
The Spartan Daily waited for confirmation from the university that access to the confidential data had been restricted before publishing.
Google’s documentation recommends that only domain administrators should be allowed to create groups to reduce the risk of data leaks.
But at SJSU, any organization member can create new mailing lists.
Despite the changes made by IT, it is still possible to create new Google Groups that are visible by the entire organization.
The California State University classifies data into three categories: Level 1, 2, and 3, with 1 needing the most protection, and 3 needing the least.
According to SJSU’s “Cheat Sheet: Information Classification Handling” from March 1, 2019, partial birthdays without year and other student information such as address and partial Social Security numbers would fall under Level 2.
It is acceptable to share Level 2 information with other sjsu.edu email addresses, even if the information is not encrypted, according to the cheat sheet.
The scanned passport would fall under Level 1. That level is supposed to always be encrypted, and cannot be shared over email unless it has gone through a “third party encryption tool.”
But despite information about the university’s data protection practices being available online, some students aren’t necessarily aware.
“I’m not familiar with the school’s security system, so it’s kind of a blind trust on there,” Griffin Weizer, a public administration graduate student, said. “I don’t think anyone is terribly sure what they’re giving and how it’s being handled, but I’d like to think it is secure.”
Last year, various online media outlets and Google itself warned about customers misconfiguring groups, inadvertently leaking private data.
“There have been a small number of instances, however, where customers have accidentally shared sensitive information as a result of misconfigured Google Groups privacy settings,” Google wrote in a June 1, 2018 blog post.
SJSU is not the first university to have this problem. The Heights, Boston College’s student newspaper, reported on the same exact vulnerability affecting their campus back in April 2018.
According to The Heights, in response to the Boston College incident, which involved confidential police files and donor information being leaked, Google made it possible for administrators to change the policy of groups across the entire organization.
It is the same ability that SJSU IT administrators used on June 3 to lock down existing groups.
Until the university finishes its review, it is unknown the full extent of the data leak, and how many people actually accessed the private information.