Institutions of higher education are supposed to be somewhere that students go, earn a degree, and leave, all while their data is safe. Or is it? In this talk, I discuss the gaping security holes left by FERPA (Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99) with regard to student data. Almost all student data, with the exception of grades and select demographics picked by each institution, are commonly listed as directory information that is available to anyone who asks. Add to this most institutions of higher education commonly practice automatic “opt-in” for Directory Information and require students to specifically request that their information be withheld. This leads to an OSINT opportunity ripe for abuse.
However, that is not the only issue. Due to a loophole in the way medical records are handled at institutions of higher education, these records can lose almost all protections and become classified as Directory Information.
I show examples of how easily this information can be retrieved from several institutions and what sort of information is available from many institutions. At the conclusion of the talk, I illustrate the various ways this information can be potentially used against a victim or in the construction of a false identity.
Leah Figueroa (@Sweet_Grrl) is a 13 year veteran of the data analytics field and works as a data analyst in higher education. She holds a Master’s in Education, an ABD in research psychology, and has taught kindergarten.
A data aficionado, Leah focuses on research on improving student outcomes at the higher education level, including focusing on both minority student issues as well as issues pertaining to students who come from a background of poverty. While not at work, Leah is interested in increasing data security in the higher education sphere as well as improving blue teams by helping bring data analytics into the team. Leah also enjoys being a fiber artist (knitter) and loves cats, InfoSec, picking locks, cooking, and reading.