This is the latest information surrounding the OVPUE data security incident.
On February 4, 2020, the university received a report that a software tool developed by the IU Bloomington Office for Undergraduate Education could, in certain circumstances, allow IU users with valid IU computing account credentials and two-factor authentication to inappropriately view another individual student’s information.
This departmental tool called GPA Calculator was initially made available in late 2018 to enable authorized IU staff to lookup individual students’ information including titles of courses taken, course grades, and various grade point averages. Individual students could also access their own course information including names of courses taken, course grades, course credit hours, semesters involved and GPAs.
The university disabled the tool within an hour of being notified.
A dedicated incident response team reviewed the tool and forensic information and determined that the tool contained a software vulnerability. The team also determined the following:
- The vulnerability did not allow for automated mass exfiltration of data; no databases were downloaded.
- It is important to note that only the information above was available via this tool. No other data such as Social Security numbers, national ID numbers, or financial information were accessible. Additionally, no other student data were accessible as a result of this vulnerability. The tool did not enable any changes to any student data.
- The tool allowed only for individual record lookups, one-at-a-time, by those with valid IU computing credentials.
- A thorough review of all available log data comprising the last 90 days indicates only a small number of individuals were responsible for all inappropriate lookups
- Limited information regarding students with a potentially viewed record during the time frame of Nov. 26, 2013, to Feb. 4, 2020, was available for possible access via the GPA Calculator tool.
- In some cases, this information could potentially be accessed by other authenticated members of the IU community who should not have had such access.
Protecting private student information is of paramount concern to Indiana University and we apologize for this incident. The department, working with the university, has taken steps to correct this issue.
Students who had records in the potentially viewed population have been notified. Students who believe they may have been part of the potentially viewed population, and who have not yet received notification, should contact the incident call center on 812-855-0080, or 833-516-0482 (toll free).
For more information, refer to the incident FAQ at https://ovpue.indiana.edu/about-us/incident-faq.html.
 A potentially viewed student record would have been accessible if any of the following conditions were met:
- a Bloomington-related student who took a course associated with an IUB Program of study or who’s record was reactivated after November 2013; or
- a non-Bloomington-related student who took a course or whose record was reactivated between November 2013 to November 2016.
Note: A student’s records may have been reactivated for a number of reasons (e.g. a former student had administrative or academic interactions with any IU campus such as reapplying for admissions or had someone request a degree or enrollment verification on their behalf).