According to a report by netzpolitik.org, on January 12, an update to the Campus Management System of the Freie Universität (FU) Berlin inadvertently set some students' accounts to "God Mode" potentially enabling them to access, and in some cases, change grades. They also had access to lists of students and alumni going back to 2005.
The Free University of Berlin is one of Germany's most prestigious research universities. It is held in high regard internationally for its contributions to the arts, humanities, and social sciences. Alumni of the FU Berlin have gone on to become politicians, an astronaut, and Nobel Prize winners. As of the winter semester of 2018/2019, approximately 33,000 students were enrolled.
How did the data exposure at FU Berlin occur?
After it had been down for maintenance, students of the FU Berlin received an email that the Campus Management System was back online with new features. However, when they logged in to the updated system, some students discovered that in addition to the intentional new features, they now had the same write and access permissions as their professors and administrators. That meant that next to some of the fields in their accounts, there was now an edit button that would allow them to change the values. The search function had also been configured so that some even potentially had access to all the exam data of their peers dating back to 2005, including dates, grades, and number of attempts.
How has the University responded?
According to a statement from University Chancellor Andrea Bör, the data was exposed for 70 minutes, from 2:33 PM until 3:43 PM the same day. Data was not exposed publicly, but rather to individuals logged into the Campus Management Sytem. The University's IT system logs showed that 673 students were logged in during that timeframe. Students who discovered the glitch quickly informed university administrators and student account permissions were corrected within half an hour. Furthermore, Bör states that no grades were actually changed and according to their fault analysis, a single student took the opportunity to unenroll himself from four classes he was currently enrolled in. However, university administrators were able to undo these changes. The university is taking measures to inform affected individuals and ensure that such an exposure doesn't happen again.
What can organizations do to avoid exposures like this?
The update in question was part of an initiative to digitize the University's internal processes. One of the main elements of this particular update was to digitize test records so that administrators would no longer have to rely on paper based processes.
In 2021, one need not repeat the advantages of digitization. Especially during the COVID-19 pandemic, the pressure on organizations to move towards digitization has grown considerably. What does bear repeating is that even with the best intentions of colleagues and the grace of users reporting issues as they arise, digitization always carries a risk of data exposure.
Whether the concern is accidental exposure like in this case or external attackers, the best strategy is to assume that sooner or later, sensitive data at your organization is going to be compromised, one way or the other. That is why the focus shouldn't solely be on protecting the containers that data is stored in, but rather the data itself should be protected in a data-centric security approach.
A data-centric security strategy starts with the assumption that the organization has already been compromised and therefore, whenever possible, sensitive data must be protected throughout the organization wherever live data had been formerly used. In many situations, live data can be replaced with operationally and functionally equivalent data elements that still enable operations and analytics, yet have no discernable value to any person who may gain unauthorized access to them. The outcome is that attacks and accidental exposures are more difficult, detectable, and manageable than they are with the traditional perimeter based defenses, monitoring, and controls.