February 21, 2014 by Sandra Petri
Educational information about 5,379 Drexel students was accidentally emailed to 479 other students the week of Feb. 10 due to a mistake made by a co-op advisor in the Steinbright Career Development Center. As a precaution, each student whose information was disclosed was issued a new University ID number Feb. 18.
Students who were sent the original email received a recall notification from the co-op advisor Feb. 11. All affected students were notified of the disclosure Feb. 17.
According to Peter Franks, vice provost for career education, the email was sent to students who had an “exemplary experience” during a co-op in the last year, offering them the chance to nominate their employer for an annual Co-operative Education Award. An Excel spreadsheet containing the information was accidentally attached to this email. The spreadsheet contained the names, majors, Drexel email addresses, student identification numbers and GPAs of the students.
Once the error was realized, Information Resources and Technology staff deleted the email from the Drexel servers, which pulled it out of all Drexel inboxes. Only students who have their University email forwarded to another account have retained the document. All those who received the attachment were instructed to delete it immediately and were informed that using or sending the document is in violation of school policy.
An email from the Office of the Provost announcing the mistake was sent to all affected students the morning of Feb. 17. Because the records that were disclosed do not include financial information, Social Security numbers, addresses or birth dates, the administration does not believe that accounts have been seriously compromised. According to Franks, no information disclosure like this has ever happened at the SCDC before. The SCDC already has plans to improve internal processes to prevent a similar occurrence in the future.
“All data lists of student records will be separated from any email message content that is circulated internally within the SCDC. All such messages containing data records will go through a second review process before being moved forward,” Franks said. “Only the necessary information for the purpose of the message will be included in any student data record lists that are shared within the SCDC.”
According to University policy, records regarding the employee who made the mistake must remain confidential.
“All SCDC staff are very aware of the need for keeping data private and will be receiving additional training in this area,” Franks said.
Jenna Schabdach, a pre-junior studying electrical engineering, said she was curious about how something like this could have happened in the first place.
“I think Drexel usually does a good job about protecting my personal information, but I still wonder how this leak could have happened. The University’s reaction is reassuring, though, and shows that they do care about protecting student privacy,” she said.
Other students don’t seem so convinced of the safety of their information.
“Drexel evidently isn’t doing enough to protect my personal information if they’re exporting spreadsheets full of sensitive student data to other students. That’s just an objective truth,” Zach Blackwood, a senior entertainment and arts management major, wrote in an email.
Steve DiPietro, a junior information systems major, said he’s more frustrated than angry at the situation. “This accident is one that could have simply been avoided if proper attention was paid before the email was sent away to these 479 Drexel students. I say that it could have been avoided because one does not accidentally attach a spreadsheet with sensitive information of thousands of students and then accidentally send it out to hundreds of recipients,” he said.
All students whose information was disclosed received an email between 2 and 4 p.m. informing them of their new ID numbers, and the change was also announced via DrexelOne.
“Getting a new ID number is actually pretty irritating. I’m only here for a couple more months, and I’ve had my old one since my senior year of high school. It’s definitely an inconvenience,” Blackwood said.
“Honestly, it will be a hassle to have to remember a new set of digits after having had the same one for the past four years, but what other options do I have?” DiPietro said.
Representatives from the Office of the Provost directed The Triangle to the Office of University Communications, which issued an official statement after the incident. The statement included the total number of students whose information was disclosed: approximately 5,400. This was the only information included in the University statement that was not included in the provost’s previous email.
According to the statement, “Drexel takes great care in securing student educational records and related information and deeply regrets this occurrence. The University will be carefully and immediately re-examining all of its related internal operating policies and procedures in response to this incident.”
Senior engineering major Abhishek Yeleswarapu received an email Feb. 18 from co-op coordinator Rachel Johnson stating the exact number of students’ information that was disclosed.
There was a similar incident during the spring of 2013 where the College of Engineering accidentally emailed student information. Hunter Hall, a sophomore studying mechanical engineering, received an email May 31, 2013 informing him of the disclosure.
The email states that “The disclosure was in the form of an email with an attachment that included information such as your name, birthdate, student identification number (ID), grade point average and academic standing. The records were inadvertently sent by the University to approximately 135 Drexel freshman College of Engineering students.”
Hall was also one of the students affected by the SCDC disclosure this week. He received a personal phone call from an SCDC representative informing him of the most recent error.
“I guess they are handling the situation really the best way that they can. They reached out to students that this has happened multiple times to, and changing information that was leaked that they can,” Hall said.
Still, he’s not convinced that Drexel offices are doing everything they can to protect his information. “We pay way too much money to have to deal with this kind of sloppy administration. Yes, this wasn’t super critical information, but how can we be sure that this won’t happen with bank accounts and social security numbers?” he asked.