Many data breaches result in privacy concerns due to data access or exfiltration. But here’s a case where a school’s incident response is causing a new set of privacy concerns. The original incident was covered on DataBreaches.net, and it appears that Rensselaer Polytechnic Institute has not disclosed anything significant since then. Now more people are demanding answers and protesting one of the school’s new requirements in response to the breach.
Rachel Silberstein reports:
… With RPI systems still down, students, faculty and staff have no access to their emails, RPI websites, dining dollars, or Wi-Fi accounts.
The university is also requiring all students and faculty to download “security software” on any device connected to the university’s network as it begins to partially restore services.
And from that arises privacy concerns and protests.
Students and faculty are organizing on Reddit to push back on the requirement to download the CrowdStrike Falcon program, which they say allows an outside company “kernel-level” access to all parts of the computer — such as apps opened, websites visited, and email communication — creating new security and privacy concerns, the student said.
“In addition, this gives the school the ability to remotely access students’ computers without consent or knowledge at all, allowing them to transfer files between them. This is a huge privacy and student rights concern, and may not work well for contracts involving IP-sensitive material,” the student wrote in a message to the Times Union. “From my research into CrowdStrike Falcon, contents of emails/files are not read, however, it can be at any time without user knowledge.”
Read more on Times Union.
h/t @SheilaLKaplan