Russell Korando reports on a university data breach that demonstrates why universities need to nail down security and access to education records:
LindenLeaks is no longer posting information about Lindenwood University or its students on Twitter.
Sometime early Wednesday, the Twitter account stopped publishing.
Lindenwood officials, St. Charles police and the St. Charles County Cyber Crimes Unit had been investigating LindenLeaks’ publication on the Internet of 180 names of students who were suspended from the private school for the fall 2011 semester. The posted information also included students’ grades, majors, phone numbers and email addresses.
On Tuesday, Lindenwood sent those students a statement indicating the university learned Monday evening that some private information on a limited number of students had been released publicly on the social network Twitter without authorization from Lindenwood. The statement said local law enforcement was receiving Lindenwood’s full cooperation in the investigation and that no Social Security numbers were compromised.
Read more on STLtoday.com. See also College Times, CBS St. Louis, and KMOV.
The individual associated with @LindenLeaks account offered a statement on Pastebin yesterday:
My earlier leak is a mere example of the nature of the items I have access to, and a demonstration of how information freely shared clearly doesn’t upset or concern me.
Since it’s release roughly seven hours ago, the document has been downloaded almost 140 times. My intention was not to defame the students listed in the document, nor to bad mouth them in some form. However, the “casualty” of their information however sensitive in nature it is considered, I count it only as unavoidable.
My goal in this and future leaks is to gain the interest of the @LindenwoodU Twitter handle, and open dialogue with them, in addition to dialogue with Kerry Cox, (@Kerry_M_Cox) who has strangely been inactive on Twitter these last few months until I gained his attention. As a result, the student body should thank me for reintroducing one of it’s more public figures on campus to the public light.
As you can see from my twitter feed discussion with @ChelsySaysHi this afternoon, I do not hate, nor have a vendetta against Kerry, or any faculty or employee of Lindenwood University. What I do have is a desire to open dialogue between the student body and the members with which they take issue in an open format and anonymously if they so desire. I also have a desire to see information previously kept secret by the university (including various housing, business office, and customer relation issues) kept in the open.
I have been told via a series DM’s with various Twitter users that the University is “looking” for me, and that my actions are “criminal.” Neither are true. Given the method with which I have acquired the document posted today, the student body as well the as the faculty should be thanking me for showing them what meager effort it takes to acquire such information and make it public.
Finally, my efforts are open and public. Anyone can leak anything. I have publicly made both my email as well as my Twitter handle widely available and accessible. If Kerry, Terry Russell, or any other member of any department, both on the faculty or among the University employees, or even students have questions or concerns, FEEL FREE TO EMAIL THEM.
That is all.
So some of the damage is already done as 184 students’ records have been downloaded over 100 times, and probably by at least some fellow students. And what stops any of the downloaders from re-uploading the list to a file-sharing site? Will the list reappear on the Internet?
And will the affected students sue the university? FERPA doesn’t provide a private cause of action, so I think they’d have to find some other legal basis for any claim. Would a court consider embarrassment as harm if the students don’t seek psychological counseling over the incident? If not, what harm or damages can they show if there are no statutory damages?
And what happens to all the tweets now that the account was unplugged? Does DataSift still get them? Does the Library of Congress? I’ve tweeted a message to Twitter’s counsel and hope he replies with an explanation. If I get one, I’ll update this post.
Heh, sounds like he is making his/her own rules. As if a “hacking clause” is going to save him/her. Sorry. You obtained PII and made it more readily available, personally putting people at risk. Thats simply a no-brainer (in more ways than one). Its obviously neglect, bottom line.
Seems like this person has way too much time on thier hands. If your monitoring people’s habits, you need a life. Its no longer under the discretion whether these people file charges or not. Its an act against an EDU, and if they get federal aid I am sure they will call in the Feds, if they aren’t already carefully digging through the information already.
Not to push anyone, but if the Feds hurry along, they may be able to size you up in your new favorite color with the others that got arrested earlier in the week. Orange.