In a given day, Harvard undergraduates might check e-mail a dozen times, swipe into doors all over campus, eat a meal in one of the House dining halls, or—if they’re splurging—go out to The Wrap using Crimson Cash.
Without thinking, they’ve left a rich digital trail on the University’s servers with information about their daily routine, ranging from meal times and purchases to whereabouts scores of times each day.
In the course of normal operations, Harvard also obtains and keeps sensitive information from the status of financial aid recipients to the job applications, transcripts, and medical records of its affiliates.
While the University has taken some steps to guard this information, much of it is still available to those with an internet connection and a little ingenuity.
Harvard ID numbers are issued to all students, faculty, administrators, and support staff and are supposed to be treated as confidential information, according to Franklin M. Steen, Director of Harvard Arts and Sciences Computer Services (HASCS).
But this approach has marked the crux of the problem for Harvard, which has made ID numbers easily available while continuing to use them as confidential identifiers.
By making a wealth of information—from grades in some classes to eRecruiting job applications to, until this January, medical records—accessible with just an ID and sometimes a publicly available password, the University has protected this data as if ID numbers were confidential.
But because the numbers are printed on every affiliate’s ID card and because they must be shared with others for a variety of mundane purposes, in practice, IDs fall far short of this bar.
A Crimson investigation in January found that anyone with an internet connection could obtain the University Health Services prescription drug histories of any Harvard affiliate. The Crimson also found that this loophole allowed anyone with an internet connection to find the ID number of any Harvard affiliate as well as contact information for students whose enrollment status the University is bound by law to keep secret.
The University is undertaking an audit in response to these issues that aims to implement secure passwords for all of its protected data.
Still, at a time when security lapses are becoming increasingly common both in higher education and more generally, these loopholes underscore the amount of sensitive data Harvard keeps on its affiliates and the risks inadequate security for this data might pose.
ID INSECURITY
The Crimson’s January investigation found that Harvard affiliates’ prescription records could be accessed with only a Harvard ID number and name, which are both widely available pieces of information.
While the now-deactivated iCommons polling tool made this possible by generating names and ID numbers for any University affiliate, a number of groups of students and staff are able to match up ID numbers and names anyway.
In addition, clubs regularly compile ID numbers from student members when planning barbecues or picnics in order to collect food and supplies from Harvard University Dining Services (HUDS) or when performing administrative tasks.
Read more in News
Harvard Health Expert Knighted