University ID numbers of students living on campus inadvertently released

A list of University ID numbers of students living on campus was inadvertently released in an email from The Department of Residence. While the risk for any misuse is low, the DOR alerted students to the incident in a follow up email. 

Alex Hanson

Editor’s note: This story has been updated to reflect that phone numbers were not included in the email attachment. It was updated a second time to include an email sent to students by The Department of Residence.

Anyone living in Iowa State housing had their university ID number exposed in an email attachment sent to about 2,300 students by The Department of Residence this week.

The email, sent by DOR on Tuesday, was to inform students about new university policy on electronic cigarettes. The mass email, which DOR sends in batches, included an attachment with a roster of everyone living in university housing.

Peter Englin, director of residence, said the list was not intended to have been attached to the email. He said as of Thursday afternoon, seven students contacted Englin with concerns about the released IDs. 

Englin sent an email to ISU students Friday evening to make them aware of the situation.

“The risk to students as a result of this breach is extremely low,” the email stated. “Iowa State has received no reports, nor do we have any evidence, that any harm has occurred, and no student financial information was contained on the student list.”

The attached spreadsheet included students’ university ID numbers, their ISU email addresses and where they live on campus. Unless a student suppresses their info on AccessPlus, all of the info released is available through the ISU online directory, except university ID numbers.

The email reached about 2,300 students on campus before the roster was noticed by the employee sending out the email. Englin explained that the department’s system sends emails in batches of about 500 and said the employee noticed the mistake after sending five batches.

The DOR did send a “recall” message to students who were sent the attachment, but the attachment was still available to anyone who received it.

Englin said DOR met with IT Security Committee the next day to discuss options for the situation.

Andrew Weisskopf, information security officer at IT Services, said university ID numbers are only used internally at Iowa State, so students will not be at risk for any large-scale theft that might occur when a Social Security number is stolen, but there could possibly be issues of ID numbers being used on campus.

“The ability to social engineer staff on campus is one that always exists,” Weisskopf said. “This could add to it, but we’re going to use it as a messaging opportunity to university staff to be more vigilant in how they vet people who are not in front of them.”

John McCarroll, director of University Relations, said Friday in an email that any liability following misuse is with the person responsible for any misuse, if harm or damage occurs.

McCarroll said that passwords were not disclosed along with the university IDs, meaning there likely would not be any harm in this disclosure.

He also added that after speaking with the university legal counsel, they noted it would be a violation of the Student Disciplinary Regulations for someone to use another student’s university ID in an effort to mislead university officials or access university services.

Weisskopf stressed the university would use the incident as a learning opportunity that may help prevent any similar incident in the future.

“The risk is very low, but that doesn’t mean we don’t have a responsibility to be transparent with those who are affected,” Englin said. “We’re distraught that it got attached. The person was mortified that they made this mistake. It was human error.”

Any students who run into security issues can contact [email protected] or visit the IT solution center.