Thousands of Private Academic Documents Become Vulnerable Amid Mass Security Watch | New



Widespread security oversight has left at least tens of thousands of Harvard administrative files, including sensitive and confidential information about the university’s governance, available to anyone with Harvard credentials for view, edit, download and share them.

For at least the past few months, Bing search engine users who logged in with their Harvard affiliate email accounts could access certain internal files and websites created or worked by other University affiliates on the platforms. – OneDrive and SharePoint forms owned by Microsoft. Files left available included those viewed or created by mid-level employees up to certain associates of University President Alan M. Garber ’76 and President Lawrence S. Bacow.

The documents remained available until The Crimson contacted the University about it last week. Over the weekend, the University turned off the ability to use Bing to search for Harvard-related Microsoft platforms and shut down a similar internal search feature in Microsoft 365 called Delve.

Harvard University information technology spokesman Timothy J. Bailey wrote in an emailed statement Monday that EIGHT is “currently taking appropriate steps” to identify unauthorized access to sensitive files, restore privacy of sensitive files and create guidelines to protect confidential information in the future.

“Harvard University officials are aware that some people within the Harvard community may have accessed files that they are not authorized to view,” he wrote. “This access and exposure is not the result of malicious activity by outside actors. “

Harvard administrators rely on Microsoft 365 software to share documents internally, including files containing confidential information.

OneDrive and SharePoint give file creators an array of privacy setting options, ranging from personal use only to a “shared with everyone” selection, which some Harvard employees selected in an apparent attempt to share information. documents with colleagues from their teams.

But by choosing to send files using the “shared with everyone” option, dozens of university administrators inadvertently opened the door for all Harvard affiliates to stumble upon the files.

Through its Microsoft Search in Bing feature – which was introduced in June 2021 – the search engine indexed all files owned or processed by University affiliates that were not placed in a private setting. A user logged into Bing with their HarvardKey could be offered these documents by the search engine by simply entering key terms or the names of an administrator, professor, staff or student.

Documents left vulnerable included stored unencrypted user passwords, HUID numbers, donor names, and employee vaccination status reports. There were also notes on University finances; detailed personnel data; diversity, equity and inclusion efforts; and campus expansion plans.

A Microsoft support webpage on Microsoft Search in Bing confirmed that administrators cannot access an academic institution’s search history, which means the university would not be able to determine who may have accessed to which documents. EIGHT can only “see the number of searches by type (people, files, etc.) and an aggregated list of top searches,” according to the webpage.

“We are aware of the problem and are supporting our customer,” wrote a Microsoft spokesperson in an email regarding Harvard’s security oversight.

Even if the files would only appear to a Bing user logged in to their Harvard credentials, the surveillance could potentially expose vulnerable information to a much larger audience, according to Andrew Green, a professor at Kennesaw State University, who studies information security.

Green said Bing’s download and action options increase the risk of exposure.

“Once this data is available and can be downloaded by anyone, it can be shared with anyone,†Green said. “So when we start to look at the potential reach, it’s about global exposure – whether or not that actually happened.”

“This information leak is bad,” he added. “We don’t really know the potential impact yet, because we don’t know who got hold of it.”

—Editor Kelsey J. Griffin can be contacted at [email protected] Follow her on Twitter @kelseyjgriffin.

– Editor Simon J. Levien can be contacted at [email protected] Follow him on twitter @simonjlevien.


Leave A Reply

Your email address will not be published.