A student at Western Oregon University who accidentally discovered a file containing personal data on a publicly accessible university server and then handed that data over to the student newspaper has narrowly escaped being expelled for his actions.
But a contracted adviser to the newspaper has been dismissed for allegedly mishandling the data and for failing to properly advise the students on the university's policies relating to handling of personally identifiable data.
Brian Loving, a student at WOU, stumbled upon a file containing the names, Social Security numbers and grade point averages of between 50 to 100 students on a publicly accessible university server in June. Loving downloaded a copy of what he discovered and handed it over to the Western Oregon Journal, the campus newspaper.
After making a copy of the file, the newspaper's editor and Loving then informed the university about the security breach. Though the paper's final publication date for the academic year had already passed, it decided to publish a four-page special report with an article describing Loving's discovery. No names of any of the students were published in the article.
The episode triggered an internal investigation at WOU. It also prompted campus officials to send IT staffers into the paper's closed newsroom and search newsroom computers for copies of the file that may have been stored in those systems.
Two months into the investigation, Loving -- who is now a staffer with the newspaper -- was found to have broken a university computer use policy that prohibits unauthorized people from accessing confidential files that may have been inadvertently placed in a publicly accessible location. On Sept. 28 he faced a disciplinary hearing over the incident.
Mark Weiss, the university executive vice president of finance and administration, on Wednesday cited student confidentiality and refused to describe the outcome of the hearing. But he denied that Loving had ever been expelled as a consequence for his action, as some local media outlets suggested.
Weiss also confirmed that Susan Wickstrom, who had been an adviser to students working at the newspaper, is no longer in that position since the university chose not to renew her contract. He did not say if the reason for the non-renewal had anything to do with Loving's security breach incident report.
A source at the university who wished to remain anonymous said that Wickstrom's contract was not renewed because of her failure to advice students against making copies of the exposed file and for her failure to advise them about the school relevant computer use policies.
"This was not a freedom of the press issue at all," Weiss said. The school newspaper should be able to write on any topic it wants to, he said. Similarly, "the issue is not that the student discovered a file that contained confidential information. For that we are grateful," said Weiss who also expressed gratitude to Loving for discovering a vulnerability the university had not been aware of up to that time.
Rather, the problem had to do with the manner in which the information was handled after it had been discovered, Weiss said.
"Once confidential information is discovered, we don't expect people to be downloading copies of that information and giving it to other people," he said. "He mishandled copies of the file," Weiss said of Loving. "People who know this shouldn't be done should be advising students on what the right thing to do is," he said in an apparent reference to Wickstrom.