A fascinating story in The Harvard Crimson details a rather shocking security lapse in which “the confidential drug purchase histories of many Harvard students and employees have been available for months to any internet user, as have the e-mail addresses of high-profile undergraduates whose contact information the University legally must conceal,” according to the magazine.
The problem seems to be that two Harvard websites designed for student use did not properly authenticate the students who were supposed to be using them.
One website, now disabled, is the iCommons Poll Tool. According to the Crimson, that website “required nothing more than a free, anonymous Hotmail account and five minutes to look up the eight-digit ID of any student, faculty or staff member.” With that number, anybody could then go to the website operated by Harvard’s insurer’s website, PharmaCare, type in the Harvard University ID and the student’s date of birth (obtainable from the student directory and from “sites such as anybirthday.com,” and get the full history of all drugs that the student had ordered
There is a related issue involving the listing of student directory information if when students request that this information not be made available, a violation of another federal law.
Hats off to the Crimson! They also broke a story similar to this roughly 10 years ago, when it was revealed that Usenet browsing history was being left on public-access terminals.
Our best illustrations of 2022
Our artists’ thought-provoking, playful creations bring our stories to life, often saying more with an image than words ever could.
How CRISPR is making farmed animals bigger, stronger, and healthier
These gene-edited fish, pigs, and other animals could soon be on the menu.
The Download: the Saudi sci-fi megacity, and sleeping babies’ brains
10 Breakthrough Technologies 2023
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.