A recent security flaw rendered hundreds of individual letters of recommendation for University of Wisconsin-Madison graduate program applicants publicly accessible and downloadable.
By searching student names or entering a search query related to graduate program applications in search engines, users could access, view and download hundreds of letters of recommendation for applicants to UW-Madison graduate programs.
Though the issue appears fixed on Google as of Thursday evening, searching the same queries in search engine DuckDuckGo shows personal email addresses and other sensitive information about students.
Clicking on the page links to recommendation letters now shows UW-Madison’s online recommendation application is “down for a critical patch."
It’s unclear how long the security flaw has been in place and the extent of letters affected. Searches conducted by The Daily Cardinal indicate there were accessible letters for applicants across nearly all UW-Madison graduate programs.
Anthony Ozerov, a University of California-Berkeley PhD student, came across the vulnerability while looking for a friend’s website on DuckDuckGo. While typing in his friend’s name, he was shocked to come across a letter of recommendation for his friend, which he was able to view and download in full.
“I was thinking, 'Okay, how could this happen? Is it just him?'” Ozerov said during a phone interview.
It was not, he soon found out. Ozerov took the first portion of the URL, put it into DuckDuckGo and found he was able to access other materials available on the electronic letter of recommendation (ELOR) system.
He emailed UW-Madison about the security flaw on Thursday morning and received a quick response saying it would be their “top priority.” By Thursday evening, web pages that previously showed the letters of recommendation gave the critical patch error, Ozerov said.
Still, simply by searching students’ names in DuckDuckGo, users could find preview text for their letters as of Friday morning.
“Applicant information should not be revealed when I look up one of my friends on a search engine. I should not be able to accidentally find a recommendation letter submitted to your university for my friend when looking him up,” Ozerov told UW officials via email.
Ozerov said the links he was able to access included letters of recommendation, surveys for recommenders about applicants and submission pages for recommendations.
“This story represents a huge security failure on the part of the university and an egregious violation of graduate students' privacy (perhaps [Family Educational Rights and Privacy Act]) rights. It is also obviously a violation of recommenders' expectation of confidentiality,” Ozerov told the Cardinal via email.
He said over the phone he has reason to believe it’s “every single applicant to the graduate schools.” The Cardinal could not immediately verify this claim.
“If one of [the recommendations] was indexed somehow, however, that one was indexed by the search engine all of the other ones were also indexed,” Ozerov said.
Given that his friend is a first-year student at Berkeley, Ozerov assumes applicants for last year’s cycle had their letters publicly available as well.
Under the Family Educational Rights and Privacy Act (FERPA), the federal law mandating student privacy practices, institutions must use “reasonable methods to ensure that school officials obtain access to only those education records in which they have legitimate educational interests.”
“An educational agency or institution that does not use physical or technological access controls must ensure that its administrative policy for controlling access to education records is effective,” the policy goes on to read.
The Cardinal was able to access a rating survey and recommendation submission page for a 2021 applicant to UW-Madison’s PhD computer science program through the Wayback Machine. The page included contact information for the recommender.
“UW-Madison takes data security and privacy extremely seriously,” UW-Madison spokesperson John Lucas told the Cardinal in an email statement. “The university is aware of this issue, has taken corrective action and is in the process of investigating."
Editor's note: This story was last updated at 11:38 a.m. on Jan. 19, 2024. The Daily Cardinal has redacted personal information from screen captures of application materials to protect the privacy of those involved.
Liam Beran is the Campus News Editor for The Daily Cardinal and a third-year English major. Throughout his time at the Cardinal, he's written articles for campus, state and in-depth news. Follow him on Twitter at @liampberan.
