A-plus and failing grade reports briefly exposed by University website

An internal Office of the Dean of the College (ODOC) website was briefly exposed during a period of software maintenance on Dec. 22, allowing unauthorized users to access certain faculty reports, including those on students receiving Academic Early Alerts and those more recently submitted on students who had earned a failing or A-plus grade in a course.

Instructors who submitted reports on the website and students mentioned in the reports were notified on Monday via email from Dean of the College Michael Gordin and Vice President for Information Technology Daren Hubbard.

The email stated that the site was exposed for less than an hour and accessed by a “handful of unauthorized users.” However, the email clarified that the site does not contain sensitive personal data, such as Social Security numbers or financial information, nor did the exposure provide access to the Office of the Registrar’s systems which record official grades.

When an undergraduate student earns an A-plus or failing grade, the course instructor must submit a report with a written justification for the grade to be reviewed by ODOC deans. Each report includes the student’s ID, course, term, and instructor.

Users accessing the site while it was exposed could view these records, along with buttons that appeared to give them permissions to edit, delete, and export reports. It is not clear whether a net ID login was required to access the site; users were displayed as logged in to an administrator account.

The site also houses Shapiro Prize nominations, awarded to first- and second-year students for exceptional academic achievement, and Academic Early Alert, which allows instructors to notify residential college deans and assistant deans for studies about students who are struggling academically. No Shapiro Prize nominations had been made at the time of the breach.

This exposure follows a recent breach of University systems that compromised a fundraising database and disrupted printing and single sign-on systems. That incident has prompted several lawsuits against the University, claiming negligence and breach of contract. The University of Pennsylvania and Columbia University, among others, have also been targeted by cyberattacks this year.

This exposure differs from previous breaches, as the information was left unprotected by mistake during software maintenance and was not the result of a malicious cyberattack.

Support nonprofit student journalism. Donate to the ‘Prince.’ Donate now »

“We are sorry that this happened, and we continue to monitor the situation,” Gordin and Hubbard wrote.

Vitus Larrieu is a senior News writer for the ‘Prince.’ He is from Pensacola, Fla. and typically covers community activism, the state of higher education, and construction and architecture.

Please send any corrections to corrections[at]dailyprincetonian.com.