Thoughts On Drexel’s Accidental Information Disclosure

If you attend Drexel, you may have received this email last night (open post to view):

Likewise, you may not have. As far as I know, Drexel has not released any official number as to how many of us had our records accidentally disclosed, but I’m hearing speculation on Facebook that number was around 4,700. I have also heard from unconfirmed sources that this collection of records included more information than Drexel claims. I have reached out to Drexel for a comment on that matter. According to Drexel, all that will be changed because of this is your university ID number if you were affected. No billing information was included, although I’ve heard addresses were, even though Drexel states otherwise. Again, I’m awaiting a comment on that.

So how is it that something like this could happen? Human error is the one thing that you’ll never be able to account for in a system. You can minimize the risk of it, but there’s no getting rid of it. That said, my thoughts on this matter can be summed up as “Shit happens.” Am I happy that I now have to update my ID number in a significant number of places, let alone remember a different number than the one I’ve had for four years now? No. Not in the least bit. I’ve actually requested to decline the new ID number since Drexel claims its disclosure does not present a security risk. Am I angry my GPA and email address were released? No. You can get my email from the Drexel directory. My GPA is listed on my resumé and is just another number that “measures” performance and intelligence.

I don’t see this release of information as a major breach, permitting all that was released is what Drexel claims. If matters, however, are different, then I’ll jump on the sue Drexel bandwagon that’s going on over on Facebook right now. Sure, I wouldn’t turn down a free tuition settlement offer, but I have no desire to go the legal route for the disclosure of such meaningless information. If there was private and sensitive information, then yeah, definitely.

But, in short, shit happens. Like human error.

Update: I’ve just received confirmation that addresses were not disclosed and you cannot opt-out of your new ID number.