Several Grinnell College student workers received a letter detailing how an employee error in May of this year caused their payroll information to become public to anyone with a “grinnell.edu” email address. A folder within public Grinnell files held the payroll information of student workers, faculty and staff, before being taken down on May 7.
On May 4, as finals approached, Chris Cardenas `26 could not access a syllabus for one of his classes. He said that he searched for his professor’s name on Outlook and clicked the “Files” tab, hoping to find the syllabus. Instead, he found a file that contained his professor’s name, quarterly wages and full Social Security number. As far as Cardenas said he could tell, this file held that information for every faculty and staff member at the College. Cardenas said that he let the file sit until Sunday, May 7, when he said he found that a similar file had the payroll information of student workers. Cardenas said that he could see every student worker’s quarterly wages as well as the last four digits of their Social Security number.
Upon this discovery, Cardenas alerted Information and Technology Services (ITS) to the presence of the file, and it was taken down that day.
“Our ensuing investigation found no evidence that any information from the folder was misused or downloaded without authorization,” wrote Dave Robinson, chief information officer, in an email to the S&B. Robinson said that ITS and administration have learned from this error and are working to strengthen the College’s online security through safeguards and staff training. Any students whose information was present in the file have been notified via letter, Robinson said.
“The investigation confirmed that a limited number of files containing student, faculty and staff payroll information were present in one folder, which was accessible within the College’s internal network to authenticated Grinnell users,” Robinson wrote.
One of those letters went to Irish Stoll `26. Many letters went to the home addresses of students, but Stoll’s was eventually forwarded to her campus box. “They told me that an employee at the school had moved information from a private folder to a public folder that anyone in the Grinnell domain could access that had information about my payroll, Social Security, and all these things that you need when you apply for a job,” said Stoll, who currently works on campus.
Like every other student who was notified, Stoll received instruction on how to access a free year subscription to a credit monitoring service to prevent identity theft. Despite this solution, however, Stoll did not say she felt totally secure. “I am now more nervous about what other information can get released that easily,” Stoll said.
Stoll said she felt surprised upon learning how Cardenas had accessed the information and alerted ITS. “I wish [ITS] would have told me more details; I was kind of under the impression that they didn’t really know that much,” Stoll said.
“I would like to get periodic updates for at least a couple of months from the College that they’re still checking in on this. And I’d like to receive an update that the information has been more securely placed somewhere else than where it was before,” Stoll said, referring to her ideal process going forward. To the best of the S&B’s knowledge, the file was accessed solely by Cardenas, who did not download the file and reported it.
Libby Eggert • Oct 30, 2023 at 9:05 am
Who/what is the picture of?