Last night the Quest published a series of investigative stories detailing several significant vulnerabilities in the college’s systems that unintentionally exposed the Reed ID numbers of hundreds of students, staff, faculty, and — bizarrely — alumni.
Those stories have been in the works since an anonymous source initially contacted the Quest during the first week of September, and were in fact delayed several times to give Reed’s IT department time to fix the serious vulnerabilities they detailed.
To many of you, the most obvious and most dramatic aspect of those stories will likely be the scale of the leaked data. But to those of us who have spent much of the past month on this reporting, what stands out most is the culture of distrust that had settled over students and IT professionals since last year.
Reed student Tucker Twomey — who we salute for having the courage to speak under his own name during a breaking news situation even after he was offered anonymity — said that he hesitated to alert the college to flaws in the system for months after first discovering them, partially because he feared facing retaliation or disciplinary action merely for bringing such a report.
There is a reason that Tucker is the only significant source in our reporting who was willing to speak to us without a guarantee of anonymity. Many of those we’ve spoken to this month have echoed his fear. Even within Reed’s IT department, a significant security vulnerability went unaddressed for months because it was kept quiet — some Reed IT professionals who spoke to the Quest said that even they were not made aware of it until the publication of our story.
So we want to be very clear about what we consider to be the real crisis of this story. The real crisis is that IT went unaware of a vulnerability in their own systems for months because of a campus culture that made well-intentioned students hesitate to merely bring a report out of a fear of retaliation. The real crisis is that, when the department was eventually informed by a different student in May, far from thanking “our IT student worker who had the time to wonder and to explore,” they didn’t take the report seriously, and didn’t fix the issue for an additional four months. The real crisis is that, when we, the student newspaper, attempted to submit another report of vulnerability in September, IT simply did not acknowledge that report for 71 hours, and eventually had to be prompted to respond by an in-person visit from a Quest reporter. Director of Technology Infrastructure Services Gabe Leavitt later said in an email to the Quest that even he had not been told of the paper’s attempt to notify the department until that afternoon, three days after it was sent to the cybersecurity division.
So make no mistake. This is not a difficult issue to exploit or to fix. It does not, contrary to IT’s email to the community, require “IT programming skills.” It’s literally just addition and subtraction. Anybody with a smartphone can do it, and indeed multiple student sources appear to have discovered it independently.
Had any of those students felt safe coming forward; had the college taken them seriously when they did; had better communication existed within IT; had the department respected Quest reporters’ work to minimize the damage caused by our story — a large part of our decision to give the department a seven day warning of our publication date — rather than diminish the seriousness of that coverage before even reading it; had any of those things happened, we would not be here. Students would have been trusted, IT professionals would have trusted each other, and the issue would have been fixed in May — or, better yet, February.
Instead, students eventually came to the Quest out of desperation. In an initial interview, one expressed a sense that, “it didn’t seem like [the college] would have any motivation to fix it without external pressure.”
Well, here we are. External pressure. After leaving the vulnerability open for all of June, July, and August, IT finally implemented a patch over the weekend of September 16, 2023 — less than two weeks after first being contacted by the Quest on September 5.
In a way, this is an honor. Students came to us, their paper, to bring to light an issue that they considered a real risk to themselves and their peers, because they thought we were the only ones who could. They thought the power of the pen was necessary to force the college to act. And we did, and it worked.
But we wish we didn’t have to. On a campus that maintained a culture of trust, this story never would have made its way to the student publications office. It wouldn’t have needed to, because students would have brought it to IT, and IT would have fixed it long before it became newsworthy.
That Reed’s is not such a campus, that students felt public pressure was necessary — was the only remaining safe way for them to bring such a report — is horrifying.
So our plea, after learning what we have over the past month, is this: let this be the last time we have to publish a story like this. Let Reed cultivate, from this day forward, a culture of trust where the student newspaper need not fulfill the role of protecting student data. Student journalists, and students in general, would be better off.
The Editorial Board of the Reed College Quest