April 24, 2014

avatar

Sloppy Reporting on the “University Personal Records” Data Breach by the New York Times Bits Blog

This morning I ran across a distressing headline while perusing my RSS feeds. The New York Times’ Bits Blog proclaimed that, “Hackers Breach 53 Universities and Dump Thousands of Personal Records Online.” I clicked, and was informed that:

Hackers published online Monday thousands of personal records from 53 universities, including Harvard, Stanford, Cornell, Princeton, Johns Hopkins, the University of Zurich and other universities around the world.

I stifled the instinct to do a spit-take with my morning cup of coffee.

The post went on to note that the hackers “published some 36,000 e-mail addresses and thousands of names, usernames, passwords, addresses and phone numbers of students, faculty and staff, to the Web site Pastebin.com.” The article actually links to the Pastebin page, which seems to be of somewhat dubious judgment given the claimed harmfulness of the content, but I suppose that the Bad Guys don’t need the New York Times to help them find Pastebin links. I went there and found one of the mirrors of the alleged breach data for Princeton University, curious to see whether I was included (and wondering why I was first reading about this on the NY Times site rather than getting an email from the university).

It quickly became clear that the “breach” in this case was a SQL database dump of a WordPress blog run by Princeton alumni in the UK. That was all. The sum of all “personal records” contained in the “breach” was a list of 10 user names and emails for users of the blog, along with their hashed passwords. It wasn’t Princeton University, it was barely “personal records”, and it was undoubtedly not newsworthy.

I understand that things were a bit different at some other schools, but I can’t help but wonder whether a desire for spit-take-worthy headlines trumped diligent fact-checking in this case. It’s a shame, because data breaches and other online privacy problems are genuinely urgent issues. There is enough real harm happening in the world that journalists shouldn’t need to over-sell.

[Update: The Daily Princetonian likewise notes that this was unrelated to Princeton Univeristy itself ("UK alumni association online account information compromised in hack"), and Perlroth edited her story to note that, "In several cases, hackers breached student and alumni blogs– which contained things like usernames and passwords–not the university servers themselves. At Princeton, for instance, hackers breached a WordPress blog for Princeton alums based in the United Kingdom which contained several usernames and encoded passwords."]

Comments

  1. Josh Tauberer says:

    I tried to check the UPenn files but they’ve been deleted….

  2. Joshua Kroll says:

    I also had that impression as soon as I read the story. They claimed to have some data from Harvard, too, but it turns out to be a similar SQL schema dump from the Office of Fine Arts (which would not exactly count as defeating the university’s crack security…). Looking through a few other universities suggested that, as has become common practice for these sorts of things, the hackers were looking to make their list as long as possible in hopes of startling some lazy reporters into covering it.