IU GPA calculator under violation of federal privacy law

A GPA calculator on the Indiana Bloomington campus was in violation of federal privacy law. This included students from all nine IU branch campuses, including graduates from 2015 and later.

This calculator was used for the sole purpose under the domain of the Office of the Vice Provost for Undergraduate Education, to help students calculate their GPA for specific classes and get a better feel of what to accomplish in them. 

“It has been a little hard to trust the IU system since this happened. Knowing our grades have been out in the open for anyone to see makes [me] feel a little vulnerable,” junior Erika J said. 

The Family Educational Rights and Privacy Act acts to protect grades, test scores and courses which led students into wondering how this happened. 

Chuck Carney, Director of Media Relations and spokesperson for Indiana University, has never seen anything quite like this. The webpage was intended for internal use only and students were not supposed to have their hands on it. This happened because of a software vulnerability. 

“Any news about improperly accessed data is understandably troubling to students. Some students have certainly had questions about that,” Carney said. “Fortunately, we have been able to reassure them that while no unauthorized access to any student records is acceptable, it was limited. Only persons with an IU central authentication system login could see those records to begin with.” 

The IU information security team is examining how that happened to ensure it doesn’t happen again. The tool won’t be available until the vulnerability is fixed. The Department of Education can indeed pull their federal funding if the university is unable to fix this problem.

“The only records viewable were names of courses taken, course grades, course credit hours, semesters involved and GPAs from a subset of individual student records. No financial information, no social security numbers, or credit card information was visible,” Carney said. “Additionally, for a student record to be included, it would have to be a Bloomington-related student who took a course associated with an IUB program of study or whose record was reactivated since November 2013.”

Duo, IU’s enforced two step process to log into any information for students oversaw protecting this link. However, once students logged in there was a glitch and other students were able to search other users. As soon as IU was notified of the problem, the tool was shut down. Since that happened, the security team has been examining the system to understand what happened. 

“I’m not sure we could have acted more quickly and responsibly. You certainly can’t have a system in place that would let another student go in and see what your grades are,” Carney said.

FERPA training is also required of all IU employees. Disciplinary action for negligence, public disclosure of private information or not tracking disclosures of student records are just a few things IU could be held responsible for. This also depends on if IU knew the grades were accessible which they are claiming was not the case. 

The GPA calculator had been online since at least 2018 and has seemed to expand to all nine IU campuses. This is a big deal and could potentially cause an issue with IU’s reputation. There has been no abuse of the calculator reported but this could have gone more in depth. 

However, unless someone meets the criteria outlined for records that were accessible, no IUPUI students should have been at risk. If they did meet one of those criteria, they would have received an email stating so by this point.

Students do have the right to report FERPA violations to the Office of Registrar if they ever feel something needs to be shared, as well as talking with the Department of Education.