In late February, Harvard University revealed it had a huge issue; more than 1.4 million emails were open to the public.
As one of the most prestigious universities in the world, students and teachers alike had no idea the information they were sending day in and out was available to anyone with an internet connection. These emails revealed sensitive information such as students’ grades, financial information, and social security numbers, as well as bank account numbers for student organizations, advanced copies of final exams, and answer keys.
While the directory of emails was only accessible to Harvard affiliates, the emails themselves were open to the public, leaving students and other users at risk.
The lack of email security was due to a default setting for list archives, that them all public unless the administrator manually changed it to private. While the Harvard Computer Society (the organization who supplied the list services), was aware of the default setting, they had assumed that people had configured their list correctly and therefore was unaware of the scope of the problem.
More than 5,500 of roughly 7,000
logged email lists had
publically accessible archives
Luckily for the university, the problem was noticed by a member of their school’s newspaper The Crimson and was quickly amended by the Harvard Computer Society (HCS).
Once notified of the issue the HSC made sure to restrict access to the archives of all existing lists whose membership was private and send out a privacy check email to every list admin reminding them of the setting. While these steps, along with temporally taking down the main list directory, helped to reduce the amount of information that is publicly available, Harvard students should still be wary of what may come in the aftermath.
The sensitive and personal information that was made public can be easily used by hackers to send spear phishing attacks towards Harvard students. Spear phishing attacks are especially dangerous as they are targeted to a specific user or set of users, and use prior information to get the user to click or download the malware or viruses contained in the email.
Although the HCS may have fixed this issue, the mistake should be a stern reminder of why email security should be in the forefront of one’s mind.