Students’ personal files made available via eDisk resulting from accidental data breach

Shira Kipnees || Senior Staff Writer

On Thursday, March 19, the College became aware of a data breach of two files containing personal information of approximately 356 students that were inadvertently posted on a publicly accessible portion of eDisk — an online data storage and exchange system used by the F&M
community.

Once the College’s Information Technology Services (ITS) became aware of the breach, the information was immediately removed and College staff promptly took steps to ensure that the data was no longer cached or accessible via search engines.

According to Kate Carlisle, spokesperson for the College, all of the people affected by the breach were, at various times, students at F&M, and most are still currently enrolled as sophomores. In addition, to the best of its knowledge, the College believes that no person outside the F&M community downloaded or was able to access the information.

“We are reasonably confident that this event is of ‘low-impact,’ meaning that our systems were not deliberately hacked or that the information was not accessed or further redistributed,” Carlisle said.

Carlisle said that she believes that the post was accidental.

“Franklin & Marshall takes privacy laws seriously and strives in every way to preserve the confidentiality of personal information entrusted to it,” Carlisle said.

The College also engaged Kroll, a nationally recognized firm that handles breach notifications, to assist F&M risk management. According to Carlisle, Kroll has established a call center on behalf of F&M to help affected students and families, who may connect with licensed professionals who are trained to help in situations like these to discuss questions or concerns.

Kroll has also set up a secure portal that will allow the College to monitor and report on any activity potentially related to the breach. The College has also set up a “Red Flag” notification on all impacted student IDs in Banner, the College’s student information system.

‘“Red Flag’ will serve as an alert to College personnel in the unlikely case of an unauthorized person trying to access student data,” Carlisle said. “Extra verification steps will be required to ensure that no further data are breached for these students.”

The College will also be offering impacted students free credit-monitoring services for one year, and Kroll will help with that registration process.

In the meantime, according to Carlisle, the College is constantly reviewing procedures, developing policies, providing training, and implementing tools and best practices to better secure both paper and electronic data across campus. Carlisle explained that part of this ongoing work has been the formation of an Information Security Working Group, which is contributing to the overall efforts of F&M’s Enterprise Risk Management team. ITS also is accelerating its proactive scanning of the F&M network for any vulnerable data. Thus far, no additional data has appeared that is of concern.

Senior Shira Kipnees is a Senior Staff Writer. Her email is skipnees@fandm.edu.

print

Leave a Reply