Update on Data Exposure

November 30, 2017

Dear Stanford GSB Community,

I am writing to follow up on my message of two weeks ago regarding the concerning Stanford GSB data exposure, and to provide an update on our ongoing investigation and corrective actions.

For the last month, we have been working with a data forensics firm and Stanford’s Information Security and Privacy Offices to review when and how confidential data might have been improperly shared on the Stanford GSB J: Drive, a file sharing system that has been in place at the school for more than ten years. In addition to the financial aid information I reported earlier, we have found that a file created in August 2008 containing the personal information of nearly 10,000 non-teaching staff who were employed throughout the university at that time, was potentially exposed to Stanford GSB faculty, staff, and students.

We do not have any direct evidence that the employee information was in fact accessed. But as a precaution, beginning tomorrow, notification letters are being sent to the employees who may have had personal information exposed. Credit monitoring and fraud protection services are being offered and a call center has been established to take questions. The center can be reached at (888) 684-4998.

These events are deeply regrettable, and I would like to express my apologies, personally and on behalf of the school, to anyone whose personal information might potentially have been compromised. I, like many of you, remain disturbed by the errors that contributed to this unacceptable situation. We are now living in a world where we can easily generate and share large amounts of sensitive data, and we have not adapted. This in no way excuses what has happened, or comforts those whose data we were responsible for and did not secure adequately. But it means we should make every effort to learn and improve from our mistakes and errors.

The exposure of the financial aid and employee data came about in different ways, and they show that we must immediately take steps to improve our data security practices. The financial aid information was stored improperly in a shared folder in June 2016. The employee information, which had been retained on our drive for almost ten years, became exposed as the result of a mistaken change in permission settings in September 2016. Later, in February 2017, staff members learned that a Stanford GSB student had accessed confidential information on financial aid. At that time, the Stanford GSB Digital Solutions team recognized the permission problem and promptly secured the J: Drive folders. However, they did not understand the scope of the exposure and did not escalate it to me or relevant university offices for further investigation.

The episode makes clear that we will need to implement improved practices around data security, and especially, to ensure that if problems are identified, they are escalated and promptly addressed in full. To this end, we will be taking a number of actions. First, we will continue to work with the forensics firm and the Information Security and University Privacy Offices on the investigation. Second, we will be making some organizational changes in our Digital Solutions group. Third, we will be working internally at Stanford GSB and with others at the University to improve our file sharing systems and to build greater awareness in handling confidential data, assigning correct file permissions, and in identifying and reporting potential problems. I am confident that these steps can help us improve and strengthen our practices, and the institution.

Thank you for the work you do each day and for your support of the school.

Sincerely,
Jon Levin

Philip H. Knight Professor and Dean
Stanford Graduate School of Business