Possible information 'breach' exposes student files

By Joshua Miller, Orient Staff

April 11, 2008

http://orient.bowdoin.edu/orient/article.php?date=2008-04-11§ion=1&id=1


Due to what Information Technology (IT) is calling a "possible breach," confidential information was accessible to anyone with a Bowdoin username and password for an unknown length of time. The data included student Social Security numbers, insurance information, lists of students on medical and disciplinary leave, internal health center contracts and employee reviews, yearly budgets, and e-mails.

A folder containing the private files of Caitlin Gutheil, the former student health program administrator who departed Bowdoin last month for another job, was discovered unsecured on the College's "Microwave" server. The Orient became aware on Wednesday that private student data was exposed after receiving a tip. The editors immediately notified IT, which professed no prior knowledge of the breach. The folder was no longer accessible as of Thursday night.

Gutheil's files contained a number of Microsoft Excel spreadsheets with insurance information for the 2005-2006 academic year. The files included every enrolled student's insurance company, policy number, and policy holder.often a parent.

The Orient repeatedly requested further details from college administrators, including the Dean of Student Affairs Tim Foster, Chief Information Officer Mitch Davis, and Vice President for Communications and Public Affairs Scott Hood. Although these individuals did not provide the Orient with specific information, Davis acknowledged the mistake in a campus-wide e-mail Thursday night.

"We have no reason at this time to believe that any of the information was actually accessed, transferred to, or used by anyone off campus," Davis wrote in the e-mail. "To the best of our knowledge, this possible breach does not involve College financial systems, investment data, alumni information, or credit card information, but rather files stored by students and employees within personal network folders."

However, one of Gutheil's file included the names, addresses and Social Security numbers of every member of the class of 2010. Two others listed every student who was on medical or disciplinary leave in 2005 and 2006, including their personal contact information.

Internal Health Center budgets, draft e-mails, letters to attorneys, and detailed employee performance reviews were also left unsecured on the server.

These were "my secure...files and I have no idea how this happened," Gutheil said when contacted by telephone. She referred questions to Bowdoin's IT division.

"This should not have happened, and I really appreciate the Orient alerting me," Davis said in an e-mail to the Orient.

To investigative the "possible data security breach," the College is bringing in a New York City-based firm that specializes in computer forensics and computer investigations to look into what happened.

"Bringing in this team seems like the right thing to do," Davis added in a telephone call late Thursday.

According to Bowdoin's IT Computer Use Policy, which was last updated in March of 1999, "Persons with access to administrative data are obligated to keep it confidential."

"We put a lot of faith in the College to protect our information security," President of the Bowdoin Student Government (BSG) Dustin Brooks '08 said, "and most of the time they do a very good job of that...especially in the Office of the Dean of Student Affairs."

"But it's interesting this happened at the Health Center...The Health Center is a place where confidentiality is my biggest worry," Brooks said.


main 
page ATTRITION feedback