zlacker

[parent] [thread] 5 comments
1. jovial+(OP)[view] [source] 2021-10-12 21:03:36
I graduated high school in 2015. I remember similarly poking around a network drive until I found a file in plaintext which contained everyone's student ID and whether or not they had a nut allergy (protected by HIPAA), for the bus system.

I didn't think much of it, but some other students caught wind. Before I knew it, the superintendent threatened to have the police involved and press legal action for "hacking confidential student data."

It's CYA all the way, usually at the expense of the person in the chain least equipped to cover their ass (the student).

replies(3): >>earksi+T >>35fbe7+93 >>drusep+U7
2. earksi+T[view] [source] 2021-10-12 21:08:45
>>jovial+(OP)
Wow. That's terrifying. And you didn't even run anything!

I'm guessing that they never told you "don't browse this network drive"?

replies(1): >>Button+Ke
3. 35fbe7+93[view] [source] 2021-10-12 21:23:36
>>jovial+(OP)
> whether or not they had a nut allergy (protected by HIPAA)

Personal pet peeve:

Your high school is not a covered entity and is not acting as a business associate of a covered entity. HIPAA does not apply. They are free to keep a plaintext file with your name, nut allergies, COVID vaccination status, and anything else they want to put in there - without HIPAA entering into the discussion.

FERPA could apply, but I don't know much about that.

replies(1): >>educat+5I2
4. drusep+U7[view] [source] 2021-10-12 21:55:33
>>jovial+(OP)
Similar story: the dean of my "high school" [1] asked me to create our school website. Another student apparently poked around on a network drive and found an SQL dump of all the students' network username/passwords. I brought this file to the dean, told them it was available on a shared drive (so they could remove it), and asked if they'd like me to use it -- since I already had it -- to enable all the students to log in to the school website with their existing network usernames/passwords. They said that was a great idea and gave me the OK.

A week later, police escorted me from my dorm and both I and the other student were eventually expelled and threatened with harsh legal action, which never came.

[1] The "high school" was an early-entrance-to-college program where we started college at 16, lived on campus, took the normal freshman/sophomore college courses, and eventually received a high school diploma and an Associate of Science when we graduated at 18. The website was for the school I attended, but the SQL dump included all of the university students as well. The school has since shut down.

◧◩
5. Button+Ke[view] [source] [discussion] 2021-10-12 22:37:10
>>earksi+T
Never press F12 while browsing. Instant hacker.

Seriously, I found a state website that appeared to be exposing NPI about certain people in an API response. So much NPI nicely formatted in a JSON response. I closed the page and never touched it again. You know the state will declare me a dangerous and sophisticated hacker because I pressed F12 to open the developer tools, that's much easier than admiring they made a mistake.

◧◩
6. educat+5I2[view] [source] [discussion] 2021-10-13 18:13:07
>>35fbe7+93
Nut allergy info that was collected by the school (teacher, admin, nurse, whoever) is part of the student records and would be protected information under FERPA.
[go to top]