IT Oversight Left Thousands of Harvard Internal Files Vulnerable — Again

Last fall, after The Crimson discovered a large-scale information security oversight at Harvard that left tens of thousands of administrative files available for University affiliates to view and download, school officials said they took quick steps to patch the issue.

But Harvard’s IT troubles didn’t end there.

A second, similar security oversight left thousands of internal files from units across the University available for anyone with Harvard login credentials to access via the collaborative platform Microsoft SharePoint. Users logged in with their school account could find the files by entering keywords into the platform's search function.

The documents left vulnerable ranged from obsolete files, such as outdated organizational charts and personal memos, to some sensitive material, such as information about University finances, donors, and employees.

The vulnerability — discovered by The Crimson earlier this month, less than six months after the first issue was resolved — was patched by the school after the newspaper raised questions about the issue.

In a statement on Monday, Harvard University Information Technology spokesperson Timothy J. Bailey wrote that “HUIT has taken steps to address the potential for confidential information to be accessed by unauthorized individuals.”

Many Harvard units use Microsoft 365 software — including SharePoint — to distribute documents internally. SharePoint offers file creators privacy settings ranging from personal use only to a “shared with everyone” option, which led some employees to inadvertently share their work with all Harvard affiliates — not just their teams, as likely intended.

“Microsoft 365’s privacy settings allow users of SharePoint, OneDrive, and Teams to specify and manage exactly who can access a file or folder, enabling Harvard staff, faculty, and students to securely collaborate,” Bailey wrote. “HUIT is aware that some Microsoft 365 owners have improperly applied privacy settings, enabling others within the Harvard community to access information that was not intended for them.”

Since the issue was raised by The Crimson, the school has set most publicly accessible files to private, restricted document sharing settings across the University, and begun to examine whether there was unauthorized access to confidential information, Bailey wrote.

A Microsoft spokesperson wrote that the company is “aware of the issue and supporting our customer.”

The second security oversight differs slightly from the one discovered in October, when users were able to access files through the search engine Bing. Before the issue was resolved in the fall, Bing users who logged in with Harvard email accounts could view and download at least tens of thousands of files that were stored on the Microsoft-owned platforms OneDrive and SharePoint. After The Crimson alerted University officials to the issue, the school disabled the function that created the Bing oversight and shut down a similar collaboration tool within Microsoft 365 called Delve.

Kennesaw State University Information Security professor Andrew Green said Harvard is grappling with the challenge of keeping files available for affiliates who need access to them while ensuring there are enough security measures to limit access to unauthorized users.

“The complexity with which we’re trying to manage these situations, via the controls that are built into services like SharePoint, is just becoming more and more difficult,” Green said. “The needs of people to share these assets and have access to them, almost regardless of location, is a complex problem to tackle. There’s no easy solution here.”

Chris J. Hoofnagle, a faculty director of the UC Berkeley’s Center for Law and Technology, said Harvard could take “triage steps” to resolve the issue, such as utilizing a service that identifies whether documents on shared internal networks contain sensitive information, such as credit card and social security numbers.

“You want a tripwire system so that you can instantly know whether particularly sensitive data are in your services,” he said. “Those are widely available now.”

Green said the most effective way to patch the issue would be to control access by grouping University affiliates into specific categories and administering certain sharing privileges to each.

“The cleanest way, but definitely not the simplest — and definitely work-intensive and labor-intensive — is tailoring access controls to groups,” he said.

But creating such groups at a large, decentralized institution like Harvard can be difficult, Hoofnagle said — especially when school affiliates hold multiple roles concurrently, such as student and teaching assistant.

“The lines between our roles and our authorities are so blurry,” he said.

Nathan Good, a lecturer at UC Berkeley’s School of Information, said he believes Harvard has solved the problem in the short-term. But he said the University should examine how affiliates use and understand Microsoft 365 in order to prevent users from unintentionally misusing the service again.

“If you don’t design the system properly around it, you’re going to continue to have issues that crop up,” Good said.

—Staff writer Cara J. Chang can be reached at cara.chang@thecrimson.com. Follow her on Twitter @CaraChang20.

—Staff writer Isabella B. Cho can be reached at isabella.cho@thecrimson.com. Follow her on Twitter @izbcho.