IU's indecent exposure

The IU administration usually has its bases covered.

That is why the Editorial Board was so taken aback this past week when the news broke that more than 146,000 students and alumni may have had their Social Security numbers and other important information exposed given their storage in an insecure
location.

The Editorial Board by no means claims to be a leading expert in computer science or cybersecurity. We do, however, know a few basic things.

The Social Security numbers were accessed by webcrawlers, and Social Security numbers are really important.

Webcrawlers, as we understand it, are Internet ‘bots that systematically search the Web for content, such as web pages or hyperlinks. They then index these pages either by copying them or by logging them in a database so search engines, such as Google, can access them more efficiently.

It seems that these webcrawlers accidentally “stumbled” upon IU students’ private information by happenstance. Students shouldn’t worry though, because IU says that the University “has no evidence that the files have been viewed or used for inappropriate or illegal purposes.”

However, that isn’t the end of it.

Though the data might not have been maliciously compromised to steal identities and ruin lives, the University’s inability to keep the data secure despite IU’s vast technological resources is alarming.  

When we give the University our Social Security numbers, we expect they’ll be locked in the cyberspace equivalent to Fort Knox because of Family Education Rights and Privacy Act requirements set by the federal government and the sensitive nature of the information in question.

With all the resources UITS has in its arsenal, the University still couldn’t provide either a secure data management solution or the right policy for the handling of our data.

For 11 months, Social Security numbers lacked enough protection that webcrawlers from Google were able to come in contact with them — which is simply irresponsible. Today, it’s a webcrawler. Tomorrow, it could be a 17-year-old hacker.

This entire incident reveals a major lapse in oversight. The administration should have actively ensured private information was stored correctly, or that University staff was following correct procedure in handling it.

The incident doesn’t reflect well on our campus bureaucracy, either.

The exposure should serve as a wake-up call to the administration that it may be time to streamline and centralize its own services and departments, not just our academic ones.

Simply put, the University dropped the ball on this one. It is surprising, considering the one thing administration is usually good at is the day-to-day running of IU.

The line of defense between our Social Security numbers shouldn’t just be one staff member conveniently discovering the problem.

It should be a series of technological fail-safes designed to ensure this situation never happens again.

IU Chief Information Officer Bradley Wheeler, Provost Lauren Robel and President Michael McRobbie need to act accordingly.

opinion@idsnews.com
@IDS_Opinion