[UPDATE] 25,000 OU Student Pictures Online Without Password Protection
Quick Facts
- Date: 3/4/2008
- Institution: Ohio University
- Type of Incident: Unauthorized Disclosure
- Number Affected: 25,000
- Source: Pogo Was Right
- Abstract Source: The Post
- Update Source: The Chronicle of Higher Education
Abstract
David M. Hendricks Jr., a Post reporter and Ohio University Resident Assistant, recently alerted Ohio University that pictures of 25,000 OU students were available via the Internet. The pictures, part of the university's Community Incident Report web site, were discovered after Hendricks started added different words to the end of the site's address. Hendricks found that the pictures came up without any need for him to use his RA login and password to the Community Incident Report system. Ohio University secured the site within hours of notification and it does not appear the site was indexed or cached by any search engine. The pictures were not accompanied by names but did include 10-digit identification codes that allow appear on student IDs. According to Patrick Beatty, Associate University Registrar, pictures are not considered directory information by the university. According to OU's Internal Audit guidelines, posting a student’s picture on a Web site without a signed release is a violation of federal privacy law.
Update1: Ohio University is disputing the claims made by the OU newspaper that 25,000 student pictures were available to the Internet with no protections. According to OU CIO Bruce Bible, "It's been overblown. There has been nothing exposed, and the information was non-descriptive to start with. There is no sensitive data tied to this site." According to Bible, to get access to all of the pictures, a resident assistant would need to first log in and then right-click to get the address for the entire directory. This address could then be shared with others.
