In Massive Security Oversight, Thousands of Private University Documents Left Vulnerable

A widespread security oversight left at least tens of thousands of Harvard’s administrative files — including sensitive and confidential information on University governance — available for anyone with Harvard credentials to view, edit, download, and share.

For at least the last several months, users of the search engine Bing who logged in with their Harvard-affiliated email accounts could access certain files and internal websites created or worked on by other University affiliates on the Microsoft-owned platforms OneDrive and SharePoint. Files left available included those viewed or created by mid-level employees all the way up to some associated with University Provost Alan M. Garber ’76 and President Lawrence S. Bacow.

The documents remained available until The Crimson contacted the University about the issue last week. Over the weekend, the University disabled the ability to use Bing to search the Microsoft platforms linked to Harvard and shut down a similar internal search function within Microsoft 365 called Delve.

Harvard University Information Technology spokesperson Timothy J. Bailey wrote in an emailed statement Monday that HUIT is currently “taking appropriate steps” to identify unauthorized access to sensitive files, revert sensitive files back to private, and create guidelines to protect confidential information going forward.

“Harvard University officials are aware that some individuals within the Harvard community may have accessed files that they are not authorized to view,” he wrote. “This access and exposure is not the result of malicious activity by external actors.”

Harvard administrators rely on Microsoft 365 software to share documents internally, including files containing confidential information.

OneDrive and SharePoint offer file creators an array of privacy setting options, ranging from personal use only to a “shared with everyone” selection, which some Harvard employees selected in an apparent attempt to share documents with colleagues on their teams.

But by choosing to send files using the “shared with everyone” option, dozens of University administrators inadvertently opened the door for any Harvard affiliates to stumble upon the files.

Through its Microsoft Search in Bing functionality — which was introduced in June 2021 — the search engine indexed any files owned or worked on by University affiliates that were not placed on a private setting. A user logged into Bing with their HarvardKey could be offered these documents by the search engine simply by entering key terms or administrator, faculty, staff, or student names.

The documents left vulnerable included user passwords stored unencrypted, HUID numbers, donor names, and employee vaccination status reports. There were also memos on University finances; detailed personnel data; diversity, equity, and inclusion efforts; and campus expansion plans.

A Microsoft support webpage on Microsoft Search in Bing confirmed that administrators cannot access an individual’s school search history, meaning the University would not be able to determine who may have accessed which documents. HUIT can only “see the number of searches by type (people, files, etc.) and an aggregated list of top searches,” according to the webpage.

“We’re aware of the issue and supporting our customer,” a Microsoft spokesperson wrote in an email regarding Harvard’s security oversight.

Even though the files would only appear for a Bing user logged into their Harvard credentials, the oversight could potentially expose the vulnerable information to a much broader audience, according to Kennesaw State University professor Andrew Green, who studies information security.

Green said Bing’s download and share options heighten the risk of exposure.

“Once that data is out there and can be downloaded by anybody, it can be shared with everybody,” Green said. “So when we start looking at potential scope, this is global exposure — whether or not it actually happened.”

“This information leakage is bad,” he added. “We don’t really know the potential impact yet, because we don’t know who’s gotten their hands on it.”

—Staff writer Kelsey J. Griffin can be reached at kelsey.griffin@thecrimson.com. Follow her on Twitter @kelseyjgriffin.

—Staff writer Simon J. Levien can be reached at simon.levien@thecrimson.com. Follow him on Twitter @simonjlevien.