The Indiana University Foundation stored sensitive documents on a public SharePoint group that anyone with an IU email address could have accessed.
The server had files including information on donors, internal financial documents and private correspondences. Experts described the security lapse as “huge,” and said it could put donors at risk for fraud. The SharePoint group was made private after the Indiana Daily Student notified the foundation of the server’s inadequate access controls.
The foundation is an independent, tax-exempt nonprofit that solicits donations and manages investments for philanthropic means — largely supporting students, faculty and programs at IU.
An IU Knowledge Base article published last year described SharePoint as intended for “internal sites,” and “an excellent tool for creating intradepartmental websites that require users to authenticate to gain access.”
“The files primarily contain data in our audited IUF financial statements, which are made available on our public website,” a foundation spokesperson said when reached for comment. “Protecting the privacy and security of our donor and financial information remains a top priority.”
Though audited IUF financial statements were a part of the public folder, the data available appeared to go far beyond the foundation’s public disclosures. The IUF spokesperson didn’t say whether anyone was aware it was public. The spokesperson also didn’t indicate what actions the foundation would take to bolster its security following the lapse.
The group was published in February 2022, and the foundation spokesperson didn’t answer how long the SharePoint group had been public.
A major security lapse
The files were stored in a SharePoint group labeled “O365-Finance & Accounting,” which was marked as public. It had 18 members, including two owners — an IUF accounting coordinator and an “IUF employee.” Others included:
- IU East’s director of cash management and payroll
- Multiple IUF accounting and analyst staff
- Multiple simply labeled as an “IUF employee”
The extent of the connection between the foundation and the university, two distinct organizations, is unclear. IU general counsel, in response to one public records request this year, said, “Indiana University and Indiana University Foundation are separate entities, and Indiana University does not have access to or maintain records of the IU Foundation.”
What was inside included private memos, correspondence and internal staffing and financial information. It also included a spreadsheet outlining the foundation’s travel reimbursements for IU President Pamela Whitten. Various other reimbursements, expenditures and banking information could also be found on the server.
Australian web security consultant Troy Hunt said that insufficient access controls, likely accidental in this case, aren’t anything unusual for larger organizations. Most go unreported and are detected and fixed internally. Still, he said, the information on donors stored in the public SharePoint group posed a privacy risk.
Putting donors at risk for fraud
Jeremiah Fowler, a cybersecurity expert based in Europe, said unintended viewers could potentially use donors’ information for scams or targeted attacks.
“If they're donating to an endowment or something like that, these are probably high-wealth individuals, so they would be perfect high-value targets,” he said.
The documents appeared to include donors’ names, contribution amounts and the intended use of some donations. One document appeared to include a donor's personal contact information.
If malicious actors obtained the knowledge and financial information found in the documents, Fowler said, they could send false invoices to donors pretending to be the foundation.
Malicious accessors of the SharePoint could have also gleaned information on the foundation’s internal workings from the contents of the documents, allowing for more complex phishing or social engineering schemes.
Phishing refers to a process where attackers send emails or messages to trick people into clicking harmful links or giving away personal information. It’s one example of social engineering, a broader method of tricking people via manipulation, often by using personal details to gain trust.
The information freely available on the SharePoint group could have easily been used to this end, Fowler said.
He said the @iu.edu email domain could be easily spoofed by a malicious actor outside the university. It’s unclear how many users could have accessed the folder. In an announcement of last year’s initiative to unify everything under the @iu.edu domain, the university said it had more than 250,000 valid email addresses.
Those already on the inside, Fowler said, could be more dangerous.
“You get a disgruntled employee, angry former student, something like that, you run the real risk of that person dumping that information,” he said.
The foundation didn’t respond to questions regarding whether it had conducted a review of who accessed the group while it was public.
EDITOR’S NOTE: The Indiana Daily Student found the public group after clicking on one of the group member’s Outlook profiles. The profile linked to files associated with that individual, that, once opened, gave access to the public group’s contents.
CORRECTION: An IU webpage incorrectly listed one of the group's members as working for IU's Department of Mathematics. That individual is now employed by the foundation.
