resource guide incident final
TRANSCRIPT
-
7/30/2019 Resource Guide Incident Final
1/22
Incident Findings and Recommendations
for Data Exposure through the Resource Guide for the 63rd
Legislative Assem
Dick Jacobson, IT Security Officer, North Dakota University System
4/18/2013
Incident Summary
Student data, including some potentially identifiable information, was exposed through an
informational document prepared for the ND Legislature. The Resource Guide for the 6
Assembly (http://www.ndus.edu/uploads/reports/114/2013-resource-guide.pdf), in whic
exposed, was compiled over a period of months during the fall of 2012 and the PDF was c
made available the second week of January for the Legislative session.
Background Information
The data that was exposed was used to create several charts in the Resource Guide and
the guide as underlying data on those charts. The specific charts where the data was ex
Section 5 on pages 10.1 through 10.4 and included as Attachment E on this document.
The application used to create these charts was from Tableau Software. The evaluation o
application was begun on October 23, 2012 with Linda Baeza Porter, the NDUS Reporting
and the report creator for this section of the Resource Guide, evaluating Tableau Deskto
Cameron Battagler, an IT Specialist for NDUS SITS, evaluating Tableau Server. Two Tablea
licenses were purchased on November 15, 2012 in order to develop the information for th
Guide. In addition, 10 Tableau Server licenses were purchased for an unrelated project in
Chancellors Office. Linda Baeza Porter, as the report creator, did not discuss the method
publish the materials in Tableau Desktop, for the Resource Guide, prior to publishing the
materials were eventually published to the Tableau Public service, using Tableau Desktop
report creator being aware that the underlying materials were being made publicly avai
for the software (http://www.tableausoftware.com/public/faq) states that the data is mad
published, but Linda Baeza Porter stated that when publishing the report, no warnings ab
were noticed by her. There is a Tableau service (Public Premium) that can be licensed tha
the report creator to keep the underlying data confidential; but Linda Baeza Porter said sh
http://www.tableausoftware.com/public/faqhttp://www.tableausoftware.com/public/faqhttp://www.tableausoftware.com/public/faqhttp://www.tableausoftware.com/public/faq -
7/30/2019 Resource Guide Incident Final
2/22
On Tuesday, March 19, 2013, Rosi Kloberdanz, the Assistant CIO for External Relations, an
Jacobson, the NDUS IT Security Officer, were advised by the NDUS CIO, Randall Thursby, t
the background data that was used to create portions of the document were being expos
had been alerted to this by the NDUS Director of Internal Audit and Risk Assessment, Bill E
Jacobson, Rosi Kloberdanz and Cameron Battagler began to determine what data was exp
to remove the exposure. This was complicated somewhat because a portion of the Table
infrastructure was experiencing problems and unavailable at the time. Cameron Battagle
copy of the data he was able to find, in order to document which data was exposed, but d
the necessary permissions to delete the data. The same morning, about 10:00 am, Rick An
Director of Infrastructure and Operations, had been made aware of the issue by Linda Bae
had been earlier contacted by Michael Kubisak, an Institutional Research Analyst from Bis
College. Rick Anderson contacted Rosi Kloberdanz and Dick Jacobson around 12:30 pm. A
conversation to merge our knowledge at that time, we determined who would take what
the problem data unavailable. Dick Jacobson contacted Tableau Software to have them b
could and Cameron Battagler assisted Linda Baeza Porter in removing data, finishing abou
the end of the workday on March 19, all public access to the data had been removed. On
22, Linda Baeza Porter submitted an After Action report to Josh Riedy and Rick Anderson
advised of the report on March 28, Dick Jacobson asked for and received a copy of the rep
Anderson. That report is included as Attachment D
Subsequent scans/searches have not turned up any additional data exposed in the Resou
Nor have we found any data cached on the Internet by search engines.
The NDUS CIO convened a meeting on the afternoon of March 26 to begin the discussions
happened and what is needed to avoid this in the future. On that date Dick Jacobson requ
datasets exposed in order to determine the scope of the exposure and what follow up act
necessary. What began as a single dataset on March 26 expanded, by the evening of Apri
datasets that were exposed either in their entirety or in part. Because we cannot say for
much of the data was exposed, we must assume these were exposed in their entirety and
accordingly.
Data Elements Exposed
The data elements exposed are listed in Attachment A, grouped by dataset; definitions fo
elements are listed in Attachment B; and the NDUS Directory Information definitions requ
Family Education Rights and Privacy Act, and listed in NDUS Procedure 1912.2, are include
Attachment C
-
7/30/2019 Resource Guide Incident Final
3/22
Datasets 2 and 3 each contain Emplid and Institution among their data fields, but no other
identifiable information. Again, while much of the data is not Directory information, it pro
be put together to identify an individual.
Dataset 4 contains Emplid but no other information specific enough to an individual to be
uniquely identify a person.
While the Name and Addresses of students are listed as Directory Information in NDUS Pr
1912.2, Emplid is not defined as Directory Information. Thus each record exposed is a rele
Directory Information from an individuals Student Record. Questions arose about how m
students had expressed the desire to have their Directory Information also not released, a
under FERPA, and how many of the students were also employees of the University Syste
and therefore possibly subject to privacy laws and policies specific to employees. From ea
datasets those numbers are:
Students requesting Students also
additional protection employees
Dataset 1 29 7919
Dataset 2 0 18
Dataset 3 22 2819
Dataset 4 6 777
Of the 57 total students requesting non-release of their Directory Information there are 3
duplicated records. For those students that are also employees, the 11,533 records repre
individuals.
Note that emplids 0315052 and 0276646 exist in both datasets 3 and 4. We were unable
these students in the current student data we used to extract some of the other informa
report. Upon further examination, 0276646 was last enrolled at UND in Spring of 2005 anwas enrolled at LRSC for Fall of 2010 but dropped before the semester started and was en
MaSU for Summer of 2010. Neither appears to be a current enrolled student and becau
person exists in our search of current data, we have no indication if they have requested a
protection under FERPA or if they are also employees.
-
7/30/2019 Resource Guide Incident Final
4/22
However, in looking at specific policies and procedures for employees, from Procedure 19
employee requested privacy in HRMS, then the address cannot be released, and from Pol
Procedure 1912.3, the employees emplid is not declared exempt so that information may
exposed.
Likewise, for students, the emplid is not defined as Directory information in Procedure 19
cannot be exposed. And according to Policy 1912 and Procedure 1912.2, the students can
desire that the Directory Information not be released, as 32 students have done, meaning
restrictions on some of the information exposed.
Data Exposure and Notification
Exposure of the emplid itself could be interpreted as requiring notification to all those ind
affected. However, FERPA does not mandate notification to the students in this incident.
The Federal Register athttp://www2.ed.gov/legislation/FedRegister/finrule/2008-4/1209
[[Page 74844]]
says:
Finally, if an educational agency or institution has experienced a theft of files or co
equipment, hacking or other intrusion, software or hardware malfunction, inadverte
data to Internet sites, or other unauthorized release or disclosure of education recor
Department suggests consideration of one or more of the following steps:
Report the incident to law enforcement authorities.
Determine exactly what information was compromised, i.e., names, addresses, SS
numbers, credit card numbers, grades, and the like.
Take steps immediately to retrieve data and prevent any further disclosures.
Identify all affected records and students.
Determine how the incident occurred, including which school officials had control
responsibility for the information that was compromised.
Determine whether institutional policies and procedures were breached, including
organizational requirements governing access (user names passwords PINS etc ); st
http://www2.ed.gov/legislation/FedRegister/finrule/2008-4/120908a.htmlhttp://www2.ed.gov/legislation/FedRegister/finrule/2008-4/120908a.htmlhttp://www2.ed.gov/legislation/FedRegister/finrule/2008-4/120908a.html -
7/30/2019 Resource Guide Incident Final
5/22
Notify students that the Department's Office of Inspector General maintains a We
describing steps students may take if they suspect they are a victim of identity theft a
http://www.ed.gov/about/offices/list/oig/misused/idtheft.html;
andhttp://www.ed.gov/about/offices/list/oig/misused/victim.html.
FERPA does not require an educational agency or institution to notify students that
from their education records was stolen or otherwise subject to an unauthorized rele
it does require the agency or institution to maintain a record of each disclosure. 34 C
(However, student notification may be required in these circumstances for postseconinstitutions under the Federal Trade Commission's Standards for Insuring the Security
Confidentiality, Integrity and Protection of Customer Records and Information (``Safe
in 16 CFR part 314.) In any case, direct student notification may be advisable if the co
data includes student SSNs and other identifying information that could lead to ident
The information exposed in this incident does not appear to require notification under the
Rule mentioned. Even though notification is not required by FERPA, we could choose to n
exposed individuals or we could choose to notify those individuals that have expressed th
protect their Directory Information.
Also, for employees, since the data was derived from the individuals student record, rathe
individuals personnel record, ND Century Code section 44-04-18.1 would seem to indicate
would not be mandated because of an individuals incidental status as an employee.
In any case, any decision to notify individuals of this incident should be made by the NDUS
compliance officers after consultations with the NDUS CIO.
Recommendations
We need to examine our policies, procedures and processes in order to avoid a recurrenc
moving forward. We need to look closely at all processes and procedures, at the NDUS leinternal to SITS, that address data protection and confidentiality issues. Education of all s
regard to security of information and individual responsibility for the same must be a part
projects and plans. The NDUS should also review policies and guidelines for the preparatio
for publication -- with a special focus on data protection, individual responsibility and proj
http://www2.ed.gov/about/offices/list/oig/misused/idtheft.htmlhttp://www2.ed.gov/about/offices/list/oig/misused/idtheft.htmlhttp://www2.ed.gov/about/offices/list/oig/misused/victim.htmlhttp://www2.ed.gov/about/offices/list/oig/misused/victim.htmlhttp://www2.ed.gov/about/offices/list/oig/misused/victim.htmlhttp://www2.ed.gov/about/offices/list/oig/misused/victim.htmlhttp://www2.ed.gov/about/offices/list/oig/misused/idtheft.html -
7/30/2019 Resource Guide Incident Final
6/22
Attachment A
Dataset 1
Acad Career
Acad Group
Acad Level
Acad Plan
Acad Program
Address
Admit Term
Admit type
Appl Grad Dt
Appl Last Sch Attend
Appl Number
As of Date
Citizenship
City
Citzn Country
Country
County
Emplid
Ethnic Descr
Inst
Institution
Level Descr
Military Status
NDUS Grad HS
NDUS HS Grad Dt
Name
Number of Records
Plan Descr
Postal
Program Descr
Res Addr County
Res Addr State
Res Addr Type
Res Country
Res State
Residency
State
Term
-
7/30/2019 Resource Guide Incident Final
7/22
Dataset 2
Acad Career
Emplid
CIP Code
CIP Code Category
CIP Code Description
CIP Code Category Description
Completion Term
Degree Nbr
Degree
Degree Level
Institution
Plan description
Program Description
Program New
Program Inactive
Dataset 3
Acad Career
CIP Code
CIP Code Category
CIP Code Category Description
CIP Code Description
Completion Term
Degree Nbr
Degree
Emplid
Institution
Plan Description
Program Inactive
Program New
SOC Code
SOC Code Description
SubPlan Description
Term
-
7/30/2019 Resource Guide Incident Final
8/22
Dataset 4
Acad Career
CIP Code
CIP Code Category
CIP Code Category Description
CIP Code Description
Completion Term
Degree
Degree Class
Degree NBR
Emplid
Institution
Institution Name
Institution Tier
Number of Records
Plan Description
Program Description
Program Inactive
Program New
Term Description
-
7/30/2019 Resource Guide Incident Final
9/22
Attachment B
Field Definitions
Acad Career - A grouping of students by academic level, such as Undergraduate and Gradu
Valid Values
UGRD - undergraduate
GRAD - graduate
PROF = professional
LAW - Law
MED - Medical School
CNED - Continuing Education
Acad Group - Academic Subdivisions of the Institution.
Some examples are:
College of Business
Division of Vocational Education
Department of Health and Wellness
Acad Level - A grouping of students within a career defined by credit hours earned and ins
policy.
Valid Values
10 - Freshman
20 - Sophomore
30 - Junior
40 - Senior
GR - Graduate
P1 - First Year Professional
P2 - Second Year Professional
P3 - Third Year Professional
P4 - Fourth Year Professional
Acad Plan - Academic Plans are majors and minors.
Plans are approved by SBHE and are located in the Academic Plan Table referenced in the
-
7/30/2019 Resource Guide Incident Final
10/22
Acad Program - Designated major/program (area of study) in which a student is working.
Address- The location where the student may be reached. This file uses the address usag
Permanent, Home, Mailing, Dorm, Campus.
Admit Term - The Term associated with the students Application, admission and or matric
institution. The term a student is admitted to a program.
Admit type - Signifies a type of student that applies for admission to an institution.
Values Vary by Institution and Career
COL - Collaborative Student
DC - Dual Credit Student
ERE - Early Entry Student
FYR - First Year Student
NON - Non-Degree Student
RDM - Readmit
TRN - Transfer StudentTRT - Transient
Appl Grad Dt Graduation Date associated with the last school attended on the students
admission.
Appl Last Sch Attend The school the student declared as the last school (high school, co
university, etc.) the student attended prior to applying for admission to the institution.
Appl Number - Automatically generated number assigned in CS to the specific application
individual.
As of Date - The date the data was extracted into the static history tables.
CIP Code - Classification of Instructional Program codes are Federal codes used to support
tracking, assessment, and reporting of post-secondary fields of study and program comple
CIP Code Description - Description of the classification code.
CIP Code Category - Matrix of CIP area of study.
CIP Code Category Description - Description of that Matrix.
-
7/30/2019 Resource Guide Incident Final
11/22
Citzn Country - The student's current citizenship country.
Completion Term - Term degree was awarded.
Country The country associated with the address.
County The county associated with the address.
Degree - An award conferred to a student signifying that requirements have been comple
are grouped within careers.
Degree Class Type of degree. Some examples are:
Associate
Bachelors
Certificate
Degree Nbr - Degree number awarded.
Degree Level - The award level of the degree.
Emplid - This is the unique identification number assigned to any person (student/employ
record in PeopleSoft.
Ethnic Descr - Ethnicity - The race group or groups with which a person identifies or having
identified as valid values for IPEDs reporting.
Gender - The gender code indicates what the sex of the employee or student is.
Valid Values
These are consistent across the University System and State Government.
F = Female
M = Male
U = Unknown
Group Descr The description associated with the Academic Group.
Inst - The campus that is tied to the person and uniquely identifies the enrollment institut
Institution - The campus that is tied to the person and uniquely identifies the enrollment
-
7/30/2019 Resource Guide Incident Final
12/22
Two year campus
Research campus
Level Descr - The description for Academic Level.
Military Status - Military status is current. Status relates to the Federal Veterans Services
Reporting requirements.
NDUS Grad HS The high school the student attended and graduated from as determined
school pick created in Campus Solutions. The selection order includes: 1. GED completion
graduation data; 3. External education page data; 4. NDUS High School application data; 5attended on the application for admission; 6. Last school attended on prospect data in Ca
Solutions; 7. The high school declared on the previous PeopleSoft online application.
NDUS HS Grad Dt The date recorded in Campus Solutions as the day the student gradua
school. The selection order includes: 1. GED completion; 2. K-12 graduation data; 3. Exter
page data; 4. NDUS High School application data; 5. Last School attended on the applicatio
admission; 6. Last school attended on prospect data in Campus Solutions; 7. The high scho
the previous PeopleSoft online application.
Name - Consists of Last-name, first-name middle-name (if applicable).
Number of Records Number of records in this dataset for this emplid.
Plan Descr The description of the Academic Plan.
Plan description - description of the students plan.
Postal The zip code associated with the address.
Program Descr - The description of the Academic Program.
Program Description - Description of the students program.
Program New - Is the program New Y/N.
Program Inactive - is the program inactive Y/N.
Res Addr Country The country associated with the students address type chosen in the f
address usage order: 1. PE permanent; PA Parent; MA Mailing; HO Home.
-
7/30/2019 Resource Guide Incident Final
13/22
Res Country The country associated with the address reported on the Official Residency
Campus Solutions. The data from the row associated with the reported term is used.
Res State The state associated with the address reported on the Official Residency recor
Solutions. The data from the row associated with the reported term is used.
Residency - The official residency for tuition purposes. This is determined by State and Ins
SOC Code Standard Occupational Classification code as supplied by the U.S. Bureau of La
SOC Code Description The occupations in the SOC are classified at four levels of aggrega
the needs of various data users: major group, minor group, broad occupation, and detaile
occupation. Each lower level of detail identifies a more specific group of occupations.
SubPlan Description (Academic Subplan) - A group of courses within an approved acade
which is identified in an institutional catalog.
State The state associated with the address.
Term - The post-secondary academic year and term the data is tied to. The first two-digits
academic year while the last two-digits identify a specified term.
Term Description More readable term. Example: Fall 2011.
Total Credits - Displays the total number of units taken for progress. This total is used in St
Records to determine academic load. This field excludes audits.
Type - type of address field in Address. Address type used in the priority of Permanent, H
Dorm, Campus
-
7/30/2019 Resource Guide Incident Final
14/22
Attachment C
Directory Information defined from Procedure 1912.2
1.Name (all names on record)2.Address (all addresses on record)3.E-mail address (all electronic addresses on record4.Phone number (all phone numbers on record)5.Height, weight and photos of athletic team members6.Date of birth7.Place of birth8.
Major field of study (all declared majors)9.Minor field of study (all declared minors)
10. Class level11. Dates of attendance12. Enrollment status13. Names of previous institutions attended14. Participation in officially recognized activities and sports15. Honors/awards received16.
Degree earned (all degrees earned)17. Date degree earned (dates of all degrees earned)
Photographic, video or electronic images of students taken and maintained by the institut
-
7/30/2019 Resource Guide Incident Final
15/22
Attachment D
Linda Baeza Porter After Action Report
After Action
On TuesdayMarch 19, 2013 I received an IM from Michael Kubisak at Bisma
telling me that there was student information to include emplids connect to
interative graphs in the Legislative Report published at the beginning of the
This document and it linked interactive charts through the tableau softwaretested the charts prior to release but missed a link that Mr. Kubisak found.
I took the following actions
Notified both Josh Riedy and Aimee Copas. Called Deanna Daily and Asked her to remove the document contain
links to the website. Contacted Tableau to ask for assistance. Then with the help of Rick Anderson began to trouble shoot and ens
of the information was taken down. Mitigating as much as possible.
At this time the risk of student information actually being compromilow. This report had very specific audience, Legislators. The level
down that needed to happen to get to the information was significanonly report of this information in my purview was from Mike Kubisa
Subsequent conversations revealed that Randall Thursby CIO was wfrom a different angle but has not provided me with any information
The information was still in many ways directory but did include unenrolled.
The only outlying information would be that if someone down loadeactual student breakout into a paper or electronic spreadsheet on th
computer.
-
7/30/2019 Resource Guide Incident Final
16/22
SLOW DOWN,.Please find attached the screen shots of the process of publishing
-
7/30/2019 Resource Guide Incident Final
17/22
-
7/30/2019 Resource Guide Incident Final
18/22
-
7/30/2019 Resource Guide Incident Final
19/22
-
7/30/2019 Resource Guide Incident Final
20/22
-
7/30/2019 Resource Guide Incident Final
21/22
-
7/30/2019 Resource Guide Incident Final
22/22