IU GPA Calculator Incident FAQ

• I received a letter from OVPUE about a computer security incident. What happened?
• How was the exposure discovered?
• Were all students' records potentially accessible?
• What information was potentially accessible?
• Could someone have changed my student information using the GPA tool involved in this incident?
• Exactly what did your investigation reveal?
• Is this information still at risk of disclosure to an unauthorized person?
• What time period does the data cover?
• Can you explain what personal information was involved?
• How do I know what information of mine was involved?
• Will Indiana University or the IU Bloomington Office for Undergraduate Education contact me to ask for private information because of this event?
• What will IU do to prevent this from happening again?
• Does that mean someone stole my social security number?
• My email says that only my names of courses taken, course grades, course credit hours, semesters involved and GPAs were potentially accessible from the application. Why are you notifying me of this, if my Social Security number, credit card or financial information were NOT exposed?
• Has anyone reported a problem with his or her social security number or credit card due to this incident?
• Can an intruder make use of my credit card number from this incident?
• Should I close my financial and credit card accounts?
• Should I request a fraud alert or credit freeze with the national credit bureaus?
• Who should I contact if I have any additional questions concerning this incident?
• I heard about the GPA calculator incident in the news. Why didn’t I get an email? Does this mean that my personal information was not exposed?
• I am calling from the media (reporter, etc.) and want more information about what happened. Can you answer my questions?
• Why are you just contacting me now when the Office of the Vice Provost for Undergraduate Education became aware of the exposure on February 4, 2020?
• What is IU doing about this RIGHT NOW?
• If IU discovers additional details about this incident, will another communication/notification go out?
• What should I do now?

I received a letter from OVPUE about a computer security incident. What happened?

On February 4, 2020 the university received a report that a tool deployed by the IU Bloomington Office of the Vice Provost for Undergraduate Education in late 2018 to allow students to access their own grades and calculate their grade point average (GPA) could, in certain circumstances, allow authenticated users to view other students’ information inappropriately. This tool was disabled within the hour of being notified and subsequent investigation confirmed the tool contained a software vulnerability. A thorough investigation of the application and available forensic information was conducted.

How was the exposure discovered?

The vulnerability was reported to the university’s director of media relations by an Indiana Daily Student reporter.

Were all students' records potentially accessible?

No. Only limited information about students with a potentially impacted record* during the time frame of Nov. 26, 2013 to Feb. 4, 2020, was available for access via the GPA Calculator tool between Nov. 2018 and Feb. 4, 2020.

* A potentially impacted student record would have been accessible if any of the following conditions were met:

• a Bloomington related student who took a course associated with an IUB program of study or whose record was reactivated since November 2013; or
• a non-Bloomington related students who took a course or whose record was reactivated between November 2013 to November 2016

Note:  A student’s records may have been reactivated for a number of reasons (e.g. a former student had administrative or academic interactions with any IU campus such as reapplying for admissions or had someone request a degree or enrollment verification on their behalf).

What information was potentially accessible?

A thorough investigation of the application and forensic information available determined the information that could potentially have been accessed included names of courses taken, course grades, course credit hours, semesters involved and GPAs from a subset of individual student records.

Could someone have changed my student information using the GPA tool involved in this incident?

No, the tool involved in this incident had no ability to update the affected information.

Exactly what did your investigation reveal?

A dedicated incident response team reviewed the tool and forensic information and determined that the tool contained a software vulnerability. The team also determined the following:

• The vulnerability did not allow for automated mass exfiltration of data.
• Rather, it allowed only for individual record lookups by authenticated users.
• A thorough review of available log data comprising the last 90 days indicates only a small number of individuals were responsible for all inappropriate lookups.
• Limited information about students with a potentially impacted record* during the time frame of Nov. 26, 2013 to Feb. 4, 2020, was available for access via the GPA Calculator tool between Nov. 2018 and Feb. 4, 2020. The information included names of courses taken, course grades, course credit hours, semesters involved and GPAs.
• In some cases, this information could potentially be accessed by other authenticated members of the IU community who should not have had such access.
• It is important to note that only the information above was available via this tool.  No other data such as Social Security numbers, national ID numbers, or financial information were accessible. Additionally, no other student data were accessible as a result of this vulnerability.

* A potentially impacted student record would have been accessible if any of the following conditions were met:

• a Bloomington related student who took a course associated with an IUB program of study or whose record was reactivated since November 2013; or
• a non-Bloomington related students who took a course or whose record was reactivated between November 2013 to November 2016

Note:  A student’s records may have been reactivated for a number of reasons (e.g. a former student had administrative or academic interactions with any IU campus such as reapplying for admissions or had someone request a degree or enrollment verification on their behalf).

Is this information still at risk of disclosure to an unauthorized person?

No. The tool was disabled within the hour of the vulnerability being reported, and will not be re-enabled until a technical assessment has been completed and the software vulnerability has been corrected.  

What time period does the data cover?

Limited information about students with a potentially impacted record* during the time frame of Nov. 26, 2013 to Feb. 4, 2020, was available for access via the GPA Calculator tool between Nov. 2018 and Feb. 4, 2020. The information included names of courses taken, course grades, course credit hours, semesters involved and GPAs.

* A potentially impacted student record would have been accessible if any of the following conditions were met:

• a Bloomington related student who took a course associated with an IUB program of study or whose record was reactivated since November 2013; or
• a non-Bloomington related students who took a course or whose record was reactivated between November 2013 to November 2016

Note:  A student’s records may have been reactivated for a number of reasons (e.g. a former student had administrative or academic interactions with any IU campus such as reapplying for admissions or had someone request a degree or enrollment verification on their behalf).

Can you explain what personal information was involved?

Individual students’ information including names of courses taken, course grades, course credit hours, semesters involved and GPAs were involved in this incident.

How do I know what information of mine was involved?

For those who received an email notice - The email you received lists specifically which pieces of information about you were or may have been inappropriately accessed.  Specifically this included, names of courses taken, course grades, course credit hours, semesters involved and GPAs.

For those who did NOT receive notice – In certain circumstances, the application could have allowed an authenticated user to look up names of courses taken, course grades, course credit hours, semesters involved and GPAs.  However, we have no evidence that your information was accessed, only that it could have been accessed from Nov. 2018 until the software vulnerability was discovered and the tool was disabled on Feb. 4, 2020.

Will Indiana University or the IU Bloomington Office for Undergraduate Education contact me to ask for private information because of this event?

No. In similar cases at other institutions, people have reportedly been contacted by individuals claiming to represent the institution that notified the individual of the incident, and who then proceed to ask for personal information, including Social Security numbers and/or credit card information. Please be aware that Indiana University or the Office of the Vice Provost for Undergraduate Education will only contact you with information regarding this incident; or if you ask us, by email or telephone, for information. We will not ask for your full Social Security number. We will not ask for any credit card or bank information. We recommend that you do not release personal information in response to any contacts of this nature that you have not initiated.

What will IU do to prevent this from happening again?

We care deeply about the privacy of our students. We share our students’ concerns and are in the process of taking further steps to reduce the potential for a future similar incident.  A dedicated team has identified how the software vulnerability occurred and the tool will not be made available until the weakness has been corrected.

Does that mean someone stole my social security number?

No social security numbers, driver’s license numbers or financial information was exposed by this vulnerability.

My email says that only my names of courses taken, course grades, course credit hours, semesters involved and GPAs were potentially accessible from the application. Why are you notifying me of this, if my Social Security number, credit card or financial information were NOT exposed?

Records of courses taken, course grades, course credit hours, semesters involved and GPAs are considered confidential data and their release is protected under Family Educational Rights and Privacy Act (FERPA) Therefore, we are notifying you that this data may have been inappropriately accessed.

Has anyone reported a problem with his or her social security number or credit card due to this incident?

No social security numbers or credit card information was related to this incident.

Can an intruder make use of my credit card number from this incident?

No credit card numbers were associated with this incident.

Should I close my financial and credit card accounts?

No financial account or credit card information was accessible from the application.

Should I request a fraud alert or credit freeze with the national credit bureaus?

No social security number, financial information, or other information that would facilitate identity theft was accessible from the affected application.

Who should I contact if I have any additional questions concerning this incident?

If you have any additional questions, please contact the incident call center on 812-855-0080, or 833-516-0482 (toll free).

I heard about the GPA calculator incident in the news. Why didn’t I get an email?  Does this mean that my personal information was potentially accessible?

If you did not receive an email, your information is likely either outside the potentially affected scope of this incident or the university no longer has email contact information for you. If you believe you may have been part of the potentially affected population (see FAQ Question - Were all students' records potentially accessible?), and have not received notification, you may contact the incident call center on 812-855-0080, or 833-516-0482 (toll free).

I am calling from the media (reporter, etc.) and want more information about what happened.  Can you answer my questions?

We are unable to respond to media inquiries, please contact the media contact below:

Chuck Carney
Director of Media Relations, Spokesperson
Indiana University
Office:  812-855-1892
Cell:  812-325-3648
ccarney@iu.edu

Why are you just contacting me now when the Office of the Vice Provost for Undergraduate Education became aware of the exposure on February 4, 2020?

After becoming aware of the exposure, we immediately began an internal investigation to determine what information may have been accessed. This included analyzing logs, determining what data and individuals were involved, and obtaining contact information for affected individuals.  We coordinated notification of all students whose information was involved. Additionally, we posted a notice and FAQ on our website (https://ovpue.indiana.edu/about-us/incident-faq.html).

What is IU doing about this RIGHT NOW?

The Bloomington Office of the Vice Provost for Undergraduate Education is committed to maintaining the privacy of students. OVPUE requires mandatory FERPA training for its employees with access to student information. A dedicated team has identified how the software vulnerability occurred and the tool will not be reactivated until the weakness is corrected.

If IU discovers additional details about this incident, will another communication/notification go out?

IU is not planning further direct communications at this time, but will post significant additional details that may arise to the web site of the Office of the Vice Provost for Undergraduate Education (https://ovpue.indiana.edu/about-us/notices.html).

What should I do now?

This incident does not involve social security numbers, credit card numbers, or financial information.  Any significant future updates will be posted to the web site of the Office of the Vice Provost for Undergraduate Education (https://ovpue.indiana.edu/about-us/notices.html).