The Eagle Explains: Uncovering AU's unintentional exposure of student information
How do you report on a piece of technology you know nothing about?
That was the question faced by Sports Managing Editor Spencer Nusbaum and I as we dove into the story we published on Monday, detailing how American University inadvertently exposed thousands of students’ data via the myAU portal.
Nusbaum stumbled across the information in the portal in late December when we were all home on winter break. Files he found encompassed student retention data and survey responses that included names and AUID numbers, in some cases going back five years. He called me for a smell test of the information’s newsworthiness, and the story has consumed my time since then.
The biggest hurdle, the reason this story took so long to produce, is the myAU portal itself. More specifically, it’s because Microsoft SharePoint — the file-sharing system much of the myAU portal is built on — is prohibitively complicated for those of us whose strengths lie more on the writing and language side of the SAT exams. First, we needed to understand how the system works in order to accurately report on why the information was available to myAU users, before explaining how and why AU had violated federal law. I began working on this story by reaching out to dozens of subject-matter experts.
Only two responded — Adam Levithan and D’arce Hess, both recognized by Microsoft for their SharePoint skills.
The story would have been impossible without them, even though they never saw the portal, let alone the student data. While their contributions seem relatively limited in the story, mostly relegated to explaining the technical underpinnings of the myAU system, they provided me with the layman understanding I needed to ask informed questions of AU. That’s reflected throughout the entire article.
We had to take one other major step, beyond understanding the technology, legal aspects and student privacy implications: we had to make sure we were accurately reporting on the data and calculating exactly how many students had their information exposed. To do that we had to download the files.
We recognized it as necessary for the reporting of the story. Once we made our calculations and verified the legitimacy of the data, we encrypted the information and later deleted them along with any screenshots from our computers before the story was published. The only Eagle staffers that accessed and downloaded the data were Nusbaum, Editor-in-Chief Sophie Austin and myself.
This story isn’t over. In the next few days, the University said it will contact the thousands of students affected to explain exactly which information of theirs was exposed. If you’re one of them, please don’t hesitate to reach out for a follow-up story. My email is above. And, if you have a story tip or feedback on our reporting, my inbox is always open.