Who: Stanford University

How Many Records: 81

Date: January 28-29, 2019

What Happened: Stanford students who requested to view their own documents including Common Applications and high school transcripts were allowed to view other students application documents.

How did it happen: Students’ documents were not searchable by name, but were instead made accessible by changing a numeric ID in a URL. Accessible documents contained sensitive personal information including, for some students, Social Security numbers. Other obtainable data included students’ ethnicity, legacy status, home address, citizenship status, criminal status, standardized test scores, personal essays and whether they applied for financial aid. Official standardized test score reports were also accessible.

Outcome: We have worked to remedy the situation as quickly as possible and will continue working to better protect our systems and data. Stanford has also notified Nolij’s parent company Hyland Software of the vulnerability. Hyland acquired Nolij in 2017 and announced on Dec. 31, 2017,​ that it would be discontinuing the NolijWeb product.