Last updated: October 07
Security-breach student narrowly avoids expulsion

An American student narrowly escaped expulsion from his university after he accidentally discovered a file containing personal data on a publicly accessible university server and handed the data to the local student newspaper.

Although, Brian Loving, who studies at Western Oregon University, had a lucky escape, a contracted adviser to the Western Oregon Journal has been dismissed for allegedly mishandling the data and for failing to properly advise the students on the university’s policies relating to handling of personally identifiable data.

Loving stumbled across a file which contained the names, Social Security numbers and grade point averages of between 50 to 100 students in June. He made a copy of the file and handed it to the campus newspaper.

The paper’s editor and Loving then informed the university of the security breach. The publication’s final issue had already passed but they decided to publish a four-page special report with an article describing Loving’s discovery. No names of any of the students were published in the piece.

The university came down hard on Loving and the paper, immediately launching an internal investigation. University authorities also sent IT staff into the paper’s closed newsroom to search computers for copies of the file that may have been stored on them.

Two months into the investigation Loving, who now works for the Western Oregon Journal, was found to have broken a university computer use policy that prohibits unauthorised people from accessing confidential files that may have been inadvertently placed in a publicly accessible location. On September 28 he attended a disciplinary hearing over the incident.

Mark Weiss, the university executive vice president of finance and administration said that Loving had not been expelled for the breach.

He also confirmed that Susan Wickstrom, who had been an adviser to students working at the newspaper, is no longer in that position since the university chose not to renew her contract. He did not say if the reason for the non-renewal had anything to do with Loving’s security breach incident report.

A source at the university who wished to remain anonymous said that Wickstrom’s contract was not renewed because of her failure to advise students against making copies of the exposed file and for her failure to advise them about the school’s relevant computer use policies.

Weiss said, “This was not a freedom of the press issue at all. The school newspaper should be able to write on any topic it wants to. Similarly, the issue is not that the student discovered a file that contained confidential information. For that we are grateful. Rather, the problem had to do with the manner in which the information was handled after it had been discovered.”

“Once confidential information is discovered, we don’t expect people to be downloading copies of that information and giving it to other people. He mishandled copies of the file. People who know this shouldn’t be done should be advising students on what the right thing to do is,” he stated.

He also defended the university’s decision to send staff in to search the newspapers computers, “The last issue of the student newspaper had already been printed. We asked [newspaper staffers] for the files that were copied to be returned. When the newspaper did not respond, IT staffers went in to retrieve any files that might have been copied and stored on newsroom computers, he said. At the time when the IT staff went in the newspaper offices had been shut down for the summer”, he said.

“We considered whether or not it was appropriate to enter, look for and take those files that were taken from our systems and we concluded that it was appropriate,” he added.