In order to examine other students' high school records and Common Applications, Stanford students had to first request to see their own admission records.
Available documents included private information, such as Social Security numbers for some pupils.
Students' race, legacy status, address, citizenship status, criminal status, test scores, personal writings, and whether they sought financial aid were also available as information.
Students' documents might be accessed by modifying a numeric ID in a URL rather than by searching for them by name.
TPRM report: https://scoringcyber.rankiteo.com/company/stanford-university-school-of-medicine
"id": "sta15918223",
"linkid": "stanford-university-school-of-medicine",
"type": "Breach",
"date": "02/2019",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'Education',
'location': 'Stanford, California, USA',
'name': 'Stanford University',
'type': 'Educational Institution'}],
'attack_vector': 'URL Manipulation',
'data_breach': {'personally_identifiable_information': ['Social Security '
'numbers',
'Race',
'Legacy status',
'Address',
'Citizenship status',
'Criminal status',
'Test scores',
'Personal writings',
'Financial aid '
'status'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal Information',
'Educational Records']},
'description': 'Stanford students exploited a vulnerability to access other '
"students' high school records and Common Applications by "
'modifying a numeric ID in a URL.',
'impact': {'data_compromised': ['Social Security numbers',
'Race',
'Legacy status',
'Address',
'Citizenship status',
'Criminal status',
'Test scores',
'Personal writings',
'Financial aid status']},
'motivation': 'Unauthorized Access to Sensitive Information',
'threat_actor': 'Internal Students',
'title': 'Unauthorized Access to Student Admission Records at Stanford',
'type': 'Data Breach',
'vulnerability_exploited': 'Insecure Direct Object Reference (IDOR)'}