A reported 250,285 students’ grades were vulnerable to being searched using an official IU GPA calculator that gave students, faculty and staff access to other students’ grades, IU spokesperson Chuck Carney said Monday. IU has yet to release specific information of how many students’ grades were searched by another person.
IU blamed a software mistake for the grade leak in a Monday email notifying students of the situation. Only a small number of individuals used the tool to look up grades that were not their own, according to the email.
In violation of federal privacy law, the calculator gave students, faculty and staff access to the grades, courses taken, and GPAs of all enrolled undergraduate and graduate IU-Bloomington students, current transfers to and from IU-Bloomington, and former students from any IU campus who graduated or left after 2013, IU spokesperson Chuck Carney said. The tool also included the grades of students who graduated before 2013 whose records were reactivated on or after Nov. 26, 2013.
Student records are reactivated for a number of reasons, such as the student requesting a transcript, making a bursar payment, registering for a course or making an academic advising appointment.
IU sent two emails out to students Monday. One notified students that the university did not have evidence that their information had been accessed inappropriately by another person. The other notified students whose grades had been accessed by another member of the IU community.
But an Indiana Daily Student investigation found that at least one student may have been misled about whether anyone had accessed their information.
An IDS staff member, whose grades were looked up by another editor for reporting purposes, received the email saying there was no evidence that her student records were accessed inappropriately.
IU has yet to complete a records request filed Thursday for internal emails regarding the GPA calculator or to provide the reason they are not public.
The calculator revealed records dating back to Nov. 26, 2013 and had been online since November 2018. The university took down the GPA calculator Feb. 4 within an hour of being notified about the situation by the IDS.
The tool, developed by the Office of the Vice Provost for Undergraduate Education, allowed students to calculate their GPAs for specific types of classes by selecting the courses that were factored into the calculation. The webpage was designed to allow students access to only their own grades, Carney said.
Grades, test scores and courses taken are education records protected under the Family Educational Rights and Privacy Act, which bars schools receiving public funding from releasing grades without prior written consent.
“This is a clear FERPA violation,” said LeRoy Rooker, former director of the Department of Education’s Family Policy Compliance Office and a leading authority on educational privacy law. “There’s not any gray area here. You just can’t have that.”
The email sent to students emphasized that this information was not downloaded en masse and was only available if a student or member of faculty or staff manually looked up a student’s name. IU said it will post any updates about its ongoing investigation here.
Clarification: The headline on the story has been changed to more accurately reflect the extent of the breach.