Here’s a Security Oversight That Left People at Harvard Crimson Faced: Cybersecurity Trends

See what I did there?  😉  OK, it might not be so funny to people at Harvard, who experienced a widespread security oversight that left tens of thousands of Harvard’s sensitive and confidential administrative files available for anyone with Harvard credentials to view, edit, download, and share.

According to The Harvard Crimson (In Massive Security Oversight, Thousands of Private University Documents Left Vulnerable, written by Kelsey J. Griffin and Simon J. Levien), for at least the last several months, users of the search engine Bing who logged in with their Harvard-affiliated email accounts could access certain files and internal websites created or worked on by other University affiliates on the Microsoft-owned platforms OneDrive and SharePoint. Files left available included those viewed or created by mid-level employees all the way up to some associated with University Provost Alan M. Garber ’76 and President Lawrence S. Bacow.

The documents remained available until The Crimson contacted the University about the issue earlier this month (note: it’s never good for the press to find your cybersecurity issues for you, even if they are the college newspaper). Over the following weekend, the University disabled the ability to use Bing to search the Microsoft platforms linked to Harvard and shut down a similar internal search function within Microsoft 365 called Delve.

Harvard administrators rely on Microsoft 365 software to share documents internally, including files containing confidential information.

OneDrive and SharePoint offer file creators an array of privacy setting options, ranging from personal use only to a “shared with everyone” selection, which some Harvard employees selected in an apparent attempt to share documents with colleagues on their teams.

But by choosing to send files using the “shared with everyone” option, dozens of University administrators inadvertently opened the door for any Harvard affiliates to stumble upon the files.

Through its Microsoft Search in Bing functionality — which was introduced back in June — the search engine indexed any files owned or worked on by University affiliates that were not placed on a private setting. A user logged into Bing with their HarvardKey could be offered these documents by the search engine simply by entering key terms or administrator, faculty, staff, or student names.

Evidence Optix

The documents left vulnerable by the security oversight included user passwords stored unencrypted, HUID numbers, donor names, and employee vaccination status reports. There were also memos on University finances; detailed personnel data; diversity, equity, and inclusion efforts; and campus expansion plans.

A Microsoft support webpage on Microsoft Search in Bing confirmed that administrators cannot access an individual’s school search history, meaning the University would not be able to determine who may have accessed which documents. Harvard University IT (HUIT) can only “see the number of searches by type (people, files, etc.) and an aggregated list of top searches,” according to the webpage.

So, highly sensitive documents were accessed and there’s no way to know who accessed them.  Unfortunately for Harvard, that’s quite a security oversight!  Somehow, I have a feeling a few more organizations may be “crimson-faced” over this new Bing functionality.

The article has more information here.  Hat tip to Don Swanson of Five Star Legal for the tip on the story – thanks Don!

So, what do you think?  Were you aware of the new Microsoft Search in Bing functionality that indexes new files for searching?  You are now!  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Leave a Reply