Institutions of higher education are supposed to be somewhere that students go, earn a degree, and leave, all while their data is safe. Or is it? In this talk, I discuss the gaping security holes left by FERPA (Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99) with regard to student data. Almost all student data, with the exception of grades and select demographics picked by each institution, are commonly listed as directory information that is available to anyone who asks. Add to this most institutions of higher education commonly practice automatic “opt-in” for Directory Information and require students to specifically request that their information be withheld. This leads to an OSINT opportunity ripe for abuse.
However, that is not the only issue. Due to a loophole in the way medical records are handled at institutions of higher education, these records can lose almost all protections and become classified as Directory Information.
I show examples of how easily this information can be retrieved from several institutions and what sort of information is available from many institutions. At the conclusion of the talk, I illustrate the various ways this information can be potentially used against a victim or in the construction of a false identity.
Venue for DEF CON 27:
Talks: Celebrity 5
InfoBooth and CTF: Contest Area
Got a question?
DM @reconvillage or Drop an email to firstname.lastname@example.org