Unprotected Attendance Spreadsheets 12-3-13

However, the files I found just list one class each, with names and attendance dates, so they do not satisfy the requirements for Personally Identifiable Information which would require a name and another identifying item, such as a SSN. So public exposure of these files is not a PII breach.

However, I think these spreadsheets do violate FERPA regulations. Here is the requirement:

Schools may disclose, without consent, "directory" information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them.

Here are the Google queries I used to find these files:

Googling for:

inurl:edu "inurl:aspx?sectionid"
inurl:edu inurl:ExportExcel

UPDATE: The vendor has patched the problem!

1. California Institute of Integral Studies

Downloads an Excel file of student data

sstrong@ciis.edu dreyna@ciis.edu security@ciis.edu web@ciis.edu

2. Cambridge College

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=13&ved=0CDwQFjACOAo&url=https%3A%2F%2Fmycc.cambridgecollege.edu%2FICS%2FPortlets%2FLMS%2FAttendancePortlet%2FExportExcel.aspx%3FSectionID%3Dfb796721-d3fe-4eee-abc5-623c99494a9e%26AttendanceMode%3D0&ei=txaeUqq2FYH0oAT1ioDACQ&usg=AFQjCNFeoqiDMdp_gsYYcVGC10BgOkY-2Q&sig2=15Yf666NQ8ECpwX3CflweQ&bvm=bv.57155469,d.cGU

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=14&ved=0CEMQFjADOAo&url=https%3A%2F%2Fmycc.cambridgecollege.edu%2FICS%2FPortlets%2FLMS%2FAttendancePortlet%2FExportExcel.aspx%3FSectionID%3D43855187-886b-45b7-8525-5986c8406591%26AttendanceMode%3D0&ei=txaeUqq2FYH0oAT1ioDACQ&usg=AFQjCNGfgf-7n-XPnuPDpyi-eZSLuWAteQ&sig2=i6dCf-Da1ttVNycUrbvt3g&bvm=bv.57155469,d.cGU

Downloads XLS files of student data

Deborah.Jackson@cambridgecollege.edu Regina.Robinson@cambridgecollege.edu John.Papadonis@cambridgecollege.edu

3. Carroll U

Downloads an XLS file of student data

security@carrollu.edu abuse@carrolu.edu mzens@carrollu.edu msmith@carrollu.edu skuhn@carrollu.edu

4. Endicott College

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&ved=0CGAQFjAH&url=http%3A%2F%2Fgullnet.endicott.edu%2FICS%2FPortlets%2FLMS%2FAttendancePortlet%2FExportExcel.aspx%3FSectionID%3D0116f106-18d7-48a1-86f6-56af60c7cdac%26AttendanceMode%3D0&ei=gA2eUtSBGobpoASY3ID4Bw&usg=AFQjCNGB8jXJ029uNg-dxNe07l2aI4V9jA&sig2=Afbhn_bYPGXU67Izi2_S4w&bvm=bv.57155469,d.cGU

Download XLS files of student data

scarvalh@endicott.edu bdawson@endicott.edu support@endicott.edu

5. Florida Southern College

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=19&ved=0CGYQFjAIOAo&url=https%3A%2F%2Fportal.flsouthern.edu%2FICS%2FPortlets%2FLMS%2FAttendancePortlet%2FExportExcel.aspx%3FSectionID%3D5cdc5856-0faf-400f-9e27-a7b1647758ef%26AttendanceMode%3D0&ei=txaeUqq2FYH0oAT1ioDACQ&usg=AFQjCNFYEVS6C4HxbM3keH_Q7VZRRPX0RA&sig2=dhdRzWiBM0bCkwMRnxkTVQ

FSCJustAsk@flsouthern.edu kpawlak@flsouthern.edu vdennis@flsouthern.edu security@flsouthern.edu

6. Quincy College

Download XLS file of student data

ptsaffaras@quincycollege.edu tpham@quincycollege.edu sbossa@quincycollege.edu

7. Southern Maine Community College

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=17&ved=0CFgQFjAGOAo&url=https%3A%2F%2Fmy.smccme.edu%2FICS%2FPortlets%2FLMS%2FAttendancePortlet%2FExportExcel.aspx%3FSectionID%3D651d7e58-8281-441b-883a-4b449c407570%26AttendanceMode%3D0&ei=txaeUqq2FYH0oAT1ioDACQ&usg=AFQjCNG29RWja2_pgwQnZdQflHna1HSL9A&sig2=4GpDAmDmVMe81-M4a2lXig

Downloads Excel spreadsheets with student attendance data with no authentication

aMullen@smccme.edu mhelpdesk@smccme.edu webmaster@smccme.edu

8. U of Mobile

Download XLS file of student data

marketing@umobile.edu djohnson@umobile.edu tmashburn@umobile.edu mdavis@umobile.edu

9. U of Southern Indiana

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CEsQFjAE&url=http%3A%2F%2Fwww.usi.edu%2Ftsisc%2Fexportexcel.asp%3Faffiliation%3DA%2520%257C%2520A%2520Mechanical%2520Service%2520Inc&ei=gA2eUtSBGobpoASY3ID4Bw&usg=AFQjCNGNFcXzr8ZTZkf2ryvshFGwDjY8mg&sig2=i5ulJQ0A6ONi9hMSpTU2Ew&bvm=bv.57155469,d.cGU

Download XLS files of student data

abuse@usi.edu security@usi.edu jallen@usi.edu mmcox1@usi.edu

10. Union Institute & University

Downloads an XLS file of student data

help@myunion.edu press@myunion.edu security@myunion.edu

11. Columbia College Chicago

Downloads Excel spreadsheets with student attendance data with no authentication

records@colum.edu skauffman@colum.edu clientservices@colum.edu security@colum.edu

12. Seton Hill U

Downloads Excel spreadsheets with student attendance data with no authentication

support@setonhill.edu security@setonhill.edu

Notification

To: sstrong@ciis.edu dreyna@ciis.edu security@ciis.edu web@ciis.edu Deborah.Jackson@cambridgecollege.edu Regina.Robinson@cambridgecollege.edu John.Papadonis@cambridgecollege.edu security@carrollu.edu abuse@carrolu.edu mzens@carrollu.edu msmith@carrollu.edu skuhn@carrollu.edu scarvalh@endicott.edu bdawson@endicott.edu support@endicott.edu FSCJustAsk@flsouthern.edu kpawlak@flsouthern.edu vdennis@flsouthern.edu security@flsouthern.edu ptsaffaras@quincycollege.edu tpham@quincycollege.edu sbossa@quincycollege.edu aMullen@smccme.edu mhelpdesk@smccme.edu webmaster@smccme.edu marketing@umobile.edu djohnson@umobile.edu tmashburn@umobile.edu mdavis@umobile.edu abuse@usi.edu security@usi.edu jallen@usi.edu mmcox1@usi.edu help@myunion.edu press@myunion.edu security@myunion.edu

Subject: Student Data Exposed on the Internet

Hello:

I am Sam Bowne, an Instructor in Computer Networking and Information Technology at City College San Francisco.

Your web site allows one or more attendance spreadsheets to be downloaded by anyone from the Internet.

Please alert your webmaster. Feel free to contact me if I can be of any assistance.

If you could, please tell me what software you are using to create these files, because, as you can see below, several colleges have the same problem.

Complete details are pasted below.

Vulnerability Fixed!

--------- Forwarded message ----------
From: Uthe, Christopher
Date: Wed, Dec 4, 2013 at 5:46 PM
Subject: [ICS-A] FW: Security Patch Released
To: ICS-A@lists.jenzabar.net


All-

It has come to our attention that customers could inadvertently allow the attendance report (within e-Racer and eLearning) to be viewable by guest users. While this access is extremely unlikely (due to the high level of obscurity), it is important to be aware of potential access concerns that might result from this situation.

Thus, we have released an updated DLL for you to place in your Portal\Bin area which will strengthen the security and restrict access such that a user would need to be logged in with proper permissions in order to access the file. We have placed the update on the myJenzabar.net download page for both e-Racer and eLearning titled “Security Update 12/4 – LMSVERSION”.

For any customer who previously installed the recent eLearning test taking patch, you must use the Patch V7 to get this update (so as not to break your test taking updates.) If your current version is not listed with a patch file or if you would like to discuss this further, please feel free to contact me directly.

We will be posting an updated eLearning 1.1 installer to include this fix tomorrow, if you have downloaded but not installed eLearning 1.1 please re-download when you see a note that it has been updated to address this.

Thanks-

Chris Uthe
Product Manager, JICS & eLearning
Jenzabar, Inc.
101 Huntington Avenue, Suite 2200 | Boston, MA 02199
tel: 617.221.4444 cell: 605.291.2217 fax: 617.492.9081
christopher.uthe@jenzabar.net
www.jenzabar.com