Skip to Content, Navigation, or Footer.
The Tufts Daily
Where you read it first | Sunday, December 22, 2024

'TuftsLeaks' releases documents containing sensitive financial information

source-code-tuftsleaks

A group calling itself TuftsLeaks published documents online earlier this month that contain sensitive financial information from Tufts. The leak included department budgets, the salaries of thousands of staff and faculty and the ID numbers of student employees with salaries listed. Only student salaries from fiscal year 2015 were listed in the leaked documents.

These documents were released through a TuftsLeaks website, which was no longer accessible by the evening of May 4. It was hosted on Dutch hosting service AbeloHost, which, according to its website, guarantees "total privacy and data security" through offshore hosting. The group's domain name was purchased on April 29, according to the website's WHOIS data.

No personal identifying information, such as social security numbers, was found in the leaked documents, according to a May 5 announcement from Executive Vice President Patricia Campbell and Senior Vice President for University Relations Mary Jeka. The leaked salary information was of employees in the School of Arts and Sciences, the School of Engineering and the University Advancement division, the email read.

According to Executive Director of Public Relations Patrick Collins, the TuftsLeaks website was deactivated at about 11 p.m. on May 4 following the issuance of take-down notices by the university, after administrators learned that confidential information had been released earlier that evening.

He added that police are working to discern who is responsible and that the Tufts community will be updated on any developments in the investigation. Collins said the university is taking steps to prevent a data breach like this in the future.

"The information was posted without university authorization," Collins told the Daily in an email. "Tufts University Police Department is working with state and federal law enforcement officials to aggressively investigate this incident and determine how this information was obtained and posted."

In an email sent to members of the Daily’s staff on May 3, TuftsLeaks stated its goal in releasing documents: "We deserve to know where our money is going." The group has not responded to a request for comment.

However, the documents released so far only show salaries and budgeting information. Salaries of higher-level administrators are listed in the university's filings with the Internal Revenue Service, and thus were already publicly available.

A similar incident occurred in April 2011, when a group called "Jumboleaks" released a list of university financial holdings that turned out to be mostly outdated, according to a 2011 Daily article. There is no evidence the two leaks are connected.

Throughout May 4, sponsored content advertising the leaks began to populate many students’ social media feeds, suggesting the group invested money into making these leaks secure and increasing their visibility.

After the leaks were released, a small group of students, all taking a class titled Cyber Security and Cyber War this semester, attempted to find out how best to uncover the identity of the leakers and the source of the information. Among them was sophomore Margaret Gorguissian, who said she felt that the release of this data violated the privacy of students and faculty, and was largely unnecessary.

"If TuftsLeaks wanted to jab at the administration, why throw students under the bus?" Gorguissian, who works on campus, told the Daily in an electronic message. "I feel like it was their own little ego trip."

Sophomore Avi Block, who holds two on-campus jobs, shared this frustration, saying that if those behind the leaks wanted to expose spending practices in the wake of increasing tuition hikes, the data that was released seemed irrelevant to that goal.

“It seems to me like a stupid drive for attention but without anything of any actual value being shared,” Block told the Daily in an electronic message.  “Nobody’s mad that school is too expensive because the teachers or students are getting paid too much.”

San Akdag, another student in the class, said the students came together out of an interest in the cyber security implications of the leak.

According to Akdag, Gorguissian and junior Noah Cutler, another student in the cyber security class, metadata about computer-to-computer interaction was scrubbed from the documents by the leakers, meaning that they were able to hide information about how they obtained the information or whether the documents were modified.

“The social media, the google analytics, the cryptic messages, shows that this was planned out," Gorguissian said. "Yes, they’re leaking indiscriminately, but they’re also highlighting certain things. It’s strategic.”

Gorguissian suggested that the leakers are specifically using European hosting services and domains due to privacy concerns. AbeloHost’s website corroborates this claim, promising its clients legal security and privacy.

The website included links to four leaked folders, only one of which — labeled “Finances” — was accessible. The other three, labeled “Administration,” “Email” and “UIT,” were locked, suggesting the leakers have more information to be released in future dumps.

The source code for the website indicated the leakers intend to release more data. Underneath a statement built into the code that reads “every action has an equally expensive reaction,” two more “rounds” of leaks were scheduled for May 8 and May 10, but these did not occur.

Akdag and Cutler said that this information indicates a possibility for future leaks.

“Anyone looking through this current dump for useful info is wasting their time,” Cutler told the Daily in an electronic message. “The attributes of the leaked information demonstrated the extent of the penetration … essentially, this was just to get our attention.”

In the May 5 email to the Tufts community, Campbell advised anyone affected by the leaks to take steps to enhance the security of their Tufts data, particularly by enrolling in the school's two-factor identification program.

"Information contained in the data that was posted might be used to personalize 'phishing' attacks on members of the university community," she said.

Daniel Caron and Deepanshu Utkarsh contributed reporting to this article