A physics undergraduate, Owen Mitchem, inadvertently discovered and exploited a significant security vulnerability in the University of Oregon’s computer network. The flaw allowed him to access highly sensitive data, including the Social Security numbers of over 3,500 public university employees statewide, among them the university president and the football coach (the highest-paid public employee in Oregon). Despite Mitchem reporting the breach twice to university officials intending it as a warning to strengthen cybersecurity the institution responded by subjecting him to a disciplinary hearing instead of addressing the systemic weakness.The exposed data primarily involved internal employee records, raising concerns about identity theft, financial fraud, and reputational damage to the university. The incident highlights negligence in patching critical vulnerabilities, inadequate response protocols, and a culture of punishing ethical disclosure rather than incentivizing it. The breach did not involve ransomware or external malicious actors but stemmed from an unsecured network configuration, leaving confidential personnel data exposed to unauthorized access. The university’s failure to act proactively exacerbates risks of future exploits, legal liabilities, and erosion of trust among employees and the public.
TPRM report: https://www.rankiteo.com/company/uo-scds
"id": "uo-5971159090625",
"linkid": "uo-scds",
"type": "Vulnerability",
"date": "9/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': '3,500+ employees (including '
'high-profile individuals)',
'industry': 'education',
'location': 'Oregon, USA',
'name': 'University of Oregon',
'type': 'public university'}],
'attack_vector': ['misconfigured system', 'lack of access controls'],
'data_breach': {'data_exfiltration': 'unintentional access (no evidence of '
'malicious exfiltration)',
'number_of_records_exposed': '3,500+',
'personally_identifiable_information': ['SSNs',
'employee identities'],
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'Social Security numbers (SSNs)',
'employee records']},
'description': 'A former University of Oregon undergraduate, Owen Mitchem, '
"discovered and reported a security flaw in the university's "
'computer network that allowed him to inadvertently access '
'confidential information, including Social Security numbers '
'of over 3,500 employees (including the university president '
'and football coach). The university responded with '
'disciplinary action against Mitchem instead of addressing the '
'vulnerability promptly.',
'impact': {'brand_reputation_impact': ['negative publicity',
"public criticism of university's "
'response'],
'data_compromised': ['Social Security numbers (SSNs)',
'employee records'],
'identity_theft_risk': ['high (due to SSN exposure)'],
'systems_affected': ['university computer network',
'employee database']},
'investigation_status': "unclear (no public details on university's internal "
'investigation)',
'lessons_learned': ['Universities must establish clear vulnerability '
'disclosure policies to avoid punishing ethical '
'reporters.',
'Proactive security audits could prevent unintentional '
'insider breaches.',
'Disciplinary actions against reporters may deter future '
'responsible disclosures.'],
'motivation': ['ethical hacking', 'responsible disclosure'],
'post_incident_analysis': {'root_causes': ['Lack of proper access controls in '
'university systems.',
'Absence of a responsible '
'disclosure policy.',
'Inadequate response to '
'vulnerability reports.']},
'recommendations': ['Implement a formal bug bounty or responsible disclosure '
'program.',
'Conduct third-party security audits to identify '
'misconfigurations.',
'Train IT staff on secure access controls and '
'authentication mechanisms.',
'Review incident response protocols to avoid retaliatory '
'actions against reporters.'],
'references': [{'source': 'OregonLive (or similar news outlet)'}],
'regulatory_compliance': {'regulations_violated': ['potential violation of '
'FERPA (Family Educational '
'Rights and Privacy Act)',
'state data protection '
'laws']},
'response': {'communication_strategy': ['disciplinary action against reporter',
'no public acknowledgment of '
'vulnerability']},
'threat_actor': {'motivation': 'ethical disclosure',
'name': 'Owen Mitchem',
'type': 'unintentional insider (student/researcher)'},
'title': 'Unauthorized Access to University of Oregon Employee Data by '
'Student',
'type': ['unauthorized access',
'data breach',
'insider incident (unintentional)'],
'vulnerability_exploited': ['improper authentication',
'insecure direct object reference (IDOR)']}