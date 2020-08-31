Eastern Washington University is reviewing an incident where a student purchased a computer from the school’s surplus store, then found documents containing personal and sensitive information.
Junyu Teoh is an EWU senior studying computer science and data science. He often buys used computers to repair, to then resell at a higher value.
"I saw these iMacs for sale on their Facebook page and I was like, ‘Well, I could mess with some computers cause that’s what I do.’ So, a few friends of mine and me head out there (to EWU Surplus),” Teoh said.
Teoh bought two iMacs and a Mac Pro for prices ranging from $20-$30 each. He was under the impression the computers were completely wiped clean, which is university policy.
His impression was incorrect, which he discovered as soon as he turned the computers on.
“I saw that there were two users in there. I managed to reset the password on one of them and I logged in. I was snooping around and I saw bank statements, grades, family info, student info… and that was just one of (the computers),” Teoh said.
All of the documents were either on the computer's desktop or downloads folder, Teoh said. However the first computer, which included personal information, receipts, and student information (grades, ID’s, etc.), was just the tip of the iceberg. His curiosity turned to shock after he turned on the second computer.
“I think the worst part is one of (the computers) had clear text passwords in a text document: username, password, username, password. His Chase (Bank) login was in there… Having student test scores is one thing, but having bank login info is a whole different ballgame,” Teoh said.
There was even a specific text document (txt file) titled "passwordsfile.txt".
“The more I was looking through it, I was like, ‘How are all of these in here?’ We don’t know how many other computers were sold this way. I don’t know, it could be a lot worse,” he said.
Teoh contacted EWU's Information Technology (IT) Department, which resulted in the following response from an employee:
“Hi Junyu. Thanks for the details. In accordance with university policy and state law, we will be reporting this breach to the state and other appropriate authorities (it varies, based on the information that is breached). The storing of passwords in plain text violates university policy. The use of state equipment for personal purposes, except de minimis use, also violates university policy and state statute. Finally, when this machine was processed by Surplus, it is university policy to require a full wipe or destruction of the drive. Clearly, that wasn’t done in this case. Once the machine is returned, we will evaluate which individuals need to be informed about the breach as well as the accountable employees."
When we reached out to EWU, we were essentially told the same thing. A EWU spokesperson said the university is looking into the matter and is “very thankful (Teoh) pointed this out.” While the spokesperson could not provide further details due to the ongoing nature of the matter, he said the university has a process to wipe every computer clean before it is repurposed or sold. In this case, the early indications are that the complications were caused by a simple slip-up in the system.
Teoh is concerned about other computers containing personal information, as well. He is hoping the university contacts any students who may have had their personal data compromised.
“A lot of people always think ‘Who’s going to hack me? Why should I worry about my security?’ But sometimes, we don’t realize that we give out our information to these institutions, whether it’s school or work or whatever. They might not be securing your information well enough, which is what’s happening here. I could secure my mailing address and my student ID real well, but I still have to give it to the school… I think it’s important that we hold these institutes accountable for their actions, especially in this day and age when data is so valuable and it’s always getting misused,” Teoh said.
