Notices

IU GPA Calculator Incident

This is the latest information surrounding the OVPUE data security incident.

On February 4, 2020, the university received a report that a software tool developed by the IU Bloomington Office for Undergraduate Education could, in certain circumstances, allow IU users with valid IU computing account credentials and two-factor authentication to inappropriately view another individual student’s information.

This departmental tool called GPA Calculator was initially made available in late 2018 to enable authorized IU staff to lookup individual students’ information including titles of courses taken, course grades, and various grade point averages. Individual students could also access their own course information including names of courses taken, course grades, course credit hours, semesters involved and GPAs.

The university disabled the tool within an hour of being notified.

A dedicated incident response team reviewed the tool and forensic information and determined that the tool contained a software vulnerability. The team also determined the following:

  • The vulnerability did not allow for automated mass exfiltration of data; no databases were downloaded.
  • It is important to note that only the information above was available via this tool. No other data such as Social Security numbers, national ID numbers, or financial information were accessible. Additionally, no other student data were accessible as a result of this vulnerability. The tool did not enable any changes to any student data.
  • The tool allowed only for individual record lookups, one-at-a-time, by those with valid IU computing credentials.
  • A thorough review of all available log data comprising the last 90 days indicates only a small number of individuals were responsible for all inappropriate lookups
  • Limited information regarding students with a potentially viewed record[1] during the time frame of Nov. 26, 2013, to Feb. 4, 2020, was available for possible access via the GPA Calculator tool.
  • In some cases, this information could potentially be accessed by other authenticated members of the IU community who should not have had such access.

Protecting private student information is of paramount concern to Indiana University and we apologize for this incident. The department, working with the university, has taken steps to correct this issue.

Students who had records in the potentially viewed population have been notified. Students who believe they may have been part of the potentially viewed population, and who have not yet received notification, should contact the incident call center on 812-855-0080, or 833-516-0482 (toll free).

For more information, refer to the incident FAQ at https://ovpue.indiana.edu/about-us/incident-faq.html.



[1] A potentially viewed student record would have been accessible if any of the following conditions were met:

  • a Bloomington-related student who took a course associated with an IUB Program of study or who’s record was reactivated after November 2013; or
  • a non-Bloomington-related student who took a course or whose record was reactivated between November 2013 to November 2016.

Note: A student’s records may have been reactivated for a number of reasons (e.g. a former student had administrative or academic interactions with any IU campus such as reapplying for admissions or had someone request a degree or enrollment verification on their behalf).

Previous updates released during the investigation

The updates below were released during the investigation of the incident. These updates are preserved here for historical purposes but have been superseded by the latest notice (above).

Ongoing analysis has determined that additional student records dating back to Nov. 26, 2013, were accessible via the GPA Calculator application. Enrolled Indiana University Bloomington students, students who transferred to/from IU Bloomington, or former students on any IU campus during this timeframe are potentially impacted. Additionally, former students prior to 2013 whose records were “reactivated” on or after Nov. 26, 2013, are also potentially impacted. A student’s records may have been reactivated for a number of reasons, such as if the student made an academic advising appointment, requested a transcript, made a bursar payment, or registered for a course.

Additional analysis has revealed that in addition to current IU Bloomington students, past students on all IU campuses who have taken at least one course in the past 5 years were potentially impacted. We are expeditiously working to identify all potentially impacted individuals.

Previous reports had indicated that the application was intended to be used only by university staff—this is inaccurate. The primary purpose of the application was for students to view their own grade history, select a subset of completed courses, and see the resulting GPA based only on the selected courses. The feature allowing users to view grades and calculate GPAs for others was intended only for authorized university staff, but was inadvertently allowed for unauthorized users.

Note: this notice was previously published on the protect.iu website.

An application designed to provide authorized Indiana University staff with access to student grade point averages was misconfigured, giving broader, unintended access to others in the IU community.

When IU leadership was made aware of the matter, the tool was disabled within the hour of notification.

Pending any new insights, the scope has been determined to be only students enrolled at or taking IU Bloomington classes or those transferring to or from IU Bloomington. 

A dedicated Indiana University team is working to determine the cause.

Check this site for further updates.