Cyber security is a critical issue, especially considering the wealth of dirt that schools and even employers can dig up via the Internet. One student's experience with this, however, goes beyond getting busted for posting drunken pictures on Facebook.
In what began as a moment of curiosity, this math education graduate student discovered - much to her horror - that her full name, person number and even the grades for a class she had taken as an undergraduate.
"I saw my full name, even my middle name though I don't use it, and my person number," said Sarah, who's last name has been withheld because as of press time, some sensitive information was still available online.
The Microsoft Excel file included a complete rundown of Sarah's grades for that class, as well as the names, person numbers and grades for the rest of the class.
"I was scared," Sarah said. "I thought it was really bad, because if it was last semester, that's one thing, but I took that class in 2002."
Andrei Reinhorn, professor of structural engineering, taught the class in question, but said he did not make the grades available online and doesn't know how the Web page became public.
"If anyone got hold of that file, it got pulled out of the repository for some reason that was unauthorized," he said.
According to Reinhorn, the files are used to provide information to students, but they are placed in a database that is password-protected.
"Only I am authorized to do that (make the files visible)," he said. "It must have been illegally hacked into, because I didn't change anything with that file."
A. Scott Weber, chair of the department of civil, structural and environmental engineering, said that the department had the utmost concerns for students' privacy. He added that any future actions regarding the incident would be up to Reinhorn.
"I am leaving this in his hands," he said. "I know that he was very concerned when informed about the issue and acted responsibly."
When he was informed about the Excel file, Reinhorn removed it from the course's website, thereby making it unavailable through search engines. However, the file was once again obtainable a week later. Reinhorn could not be reached for further comment.
Regardless of how the information got onto the Internet, Sarah said she is concerned that her friends or even future employers can see her grades for the class.
"I'm definitely nervous about that (employers), because the class is what I consider to be a weeding out class," said Brian, Sarah's fianc?(c)e, who is also listed in the online file. "It's one of those classes you take when they're still making it incredibly difficult because there's an incredibly large number of people in the classes. If someone was to just search for my name, they (could) see that I did poorly in that class."
Another immediate concern was that her person number might fall into the wrong hands, Sarah said, but many UB officials stress the fact that there is not much to be attained with merely a person number and a name.
Rick Lesniak, director of academic services for UB's Computing and Information Techonology, said that the person number was originally intended to be a way to "index" students, not a password or other secure number.
"People are starting to use it as a social security number," he said. "Unfortunately, the person number was created so that people could do this sort of thing (posting grades) without using names."
Terri Mangione, senior associate vice provost for student academic records, said an email is sent to faculty members every semester reminding them not to publicly post grades online during the school year using a person number. Instead, they are encouraged to post them through the MyUB Web site.
"It's what we strongly recommend, but we know that not everybody is following that," she said.
Mangione also said that the Excel file's person numbers didn't necessarily infringe on the students' personal security.
"There's nothing that anybody could do with just the person number," she said. "But posting a whole list of students' name with their grades that's accessible in a public format is unacceptable. Grades are private records."
Mangione added that the university's computer security is "almost impossible" to breach.
"I would find it very difficult to believe that data on one of the university's machines, or information on university servers could be accessed or hacked into," she said.
Mangione also said that if sensitive information is placed on a faculty member's personal machine, then its security relies on that personal machine.
"If a faculty member is compelled to edit grades on a home computer and then post them online, then it's subject to whatever security they choose to use at home, and we don't have any control over that," Mangione said.
Because the issue of privacy and the Excel file have come up again, Sarah still feels that her concerns have not been addressed.
"It's one of those things. Your grades are confidential. It's not just that it's your person number too, (but) I can see all my friends grades," she said. "I can see that my fianc?(c)e got a C."
