Following highly publicized breaches of University data including sexual violence records and Graduate School of Business financial aid statistics, the University’s File Security Storage Program began automatically scanning individual users’ publicly shared files for sensitive information in June 2018.
Starting today, Stanford will notify owners of “newly created or modified” public files if the University has found sensitive information within their documents. The files scanned include those hosted on Google Drive, Box, OneDrive, the Andrew File System (AFS) and “select departmental Windows file servers” that are publicly accessible or accessible to anyone at Stanford.
The automated scanning looks for “patterns that match social security numbers, credit card numbers and routing numbers,” program manager Mike Takahashi wrote in an email to The Daily. Owners of flagged files will receive an email from Proofpoint, the University’s data security provider.
Though the email notifications began today, scanning has been ongoing for 10 months. It later added additional program measures; on Feb. 28, the University began to automatically reduce the number of people with access to files flagged by the scanning system.
Cybersecurity firm Proofpoint performs the automatic scanning and sends the email notifications for files deemed sensitive. Proofpoint began its relationship with Stanford as its email security service provider, filtering out spam, malware and phishing from “nearly all incoming and outgoing University email,” Takahashi explained.
“After a thorough comparison of data loss prevention (DLP) solutions, we selected Proofpoint for our DLP service because of our existing business relationship with them and their track record of close partnership with us on enhancements,” Takahashi wrote.
He added that the program “will gradually expand scanning to cover files that are shared with 100 or more individuals.” Lowering the threshold further would become technically inefficient because of the volume of eligible files, Committee on Academic Computing and Informations System member Levi Lian ’22 told The Daily.
When asked whether human review of files is involved in the scanning process, Takahashi noted that “manual inspection is only performed when necessary,” such as when validating a report questioned by the file owner.
“Manual inspection is performed when high-risk files are identified through automatic screening to reduce the false positive rate,” Lian wrote.
“The program shouldn’t pose any privacy concerns as it focuses only on shared files that are already publicly exposed,” wrote Stanford Bug Bounty co-organizer Jack Cable ’22 in an email to The Daily.
The File Security Storage Program is an initiative sponsored by the Chief Information Officer (CIO) Council, composed of IT leaders from around Stanford. It was established after a series of data leaks in late 2017, one involving data breaches in the AFS file system and another involving leaked financial data from the Graduate School of Business (GSB) that was eventually followed by the resignation of GSB’s Chief Digital Officer Ranga Jayaraman. Both leaks involved misconfigured permissions on files in University file systems.
The start of the notification system also comes on the heels of another data breach that allowed students to view the Common Applications and high school transcripts of other students through the University’s third party file scanning system Nolij by tweaking a file URL.
Takahashi is also the program manager of the University’s Bug Bounty Program, which was established in Jan. 2019 to help Stanford community members report vulnerabilities in an attempt to bolster security.
“The types of vulnerabilities vary, but they’ve all been making a positive impact on our security posture,” Takahashi told The Daily at the time. “We’re very thankful for the students that have been involved and encourage others to join in.”