In this week’s Quest, we’re publishing further coverage of an investigative story we first released at the end of September, one that detailed the ways in which a flaw in the college’s campus directory had exposed the campus ID numbers of thousands of students, staff, faculty, and alumni. However, our approach to that coverage has changed significantly since September, partially due to the college’s handling of our previous reporting.
During our initial reporting, the Quest chose to be at least somewhat open and transparent with IT professionals about our coverage and research. After first reaching out to Cybersecurity Architect Payam Damghani and Chief Information & Security Officer Val Moreno on September 5 — 24 days prior to the publication of our coverage — we engaged in open dialogue with IT, passing along the details of new vulnerabilities that were reported to us and even making compromises on our publication timeline. We did so partially out of concern that, had we not done so, our coverage could have exposed student data to even greater risk.
However, the Quest was warned at the time that engaging so openly may have been “too responsible,” and could expose our paper to attempts to undermine our work. Those fears ultimately proved reasonable. On the night of Thursday, September 28, CIO Moreno sent an email to the Reed community that seemed designed to minimize the reporting the department knew would be published the following day. Despite our dialogue with IT, we received no warning that such an email would go out, and, worse, one of the sources involved in that story later argued compellingly that it was, at best, misleading, and at worst, outright inaccurate.
That email would not have been possible had the Quest been less willing to engage in dialogue in the weeks leading up to that initial coverage. So this time, we weren’t. This week’s story is based almost entirely on a series of leaked documents corroborated by a small handful of sources within IT, most of whom would speak only with anonymity. We recognize that, in some ways, that weakens the story.
We also want to be very clear that, in two places, the Quest attributes statements to IT professionals Payam Damghani and Kerri Creager that have not been confirmed by the individuals themselves, but only by third parties. While we have confidence in the reliability of our sources, we cannot be certain that those statements are accurate without confirming them with Mr. Damghani and Ms. Creager. We chose not to seek such confirmation prior to publication because, to do so, we would have to reveal the extent of our reporting. We no longer trust the college with such advance notice. We also have no reason to believe that doing so would guarantee an answer, as our attempts to seek comment on the previous story were not always acknowledged (our email to the president’s office on September 28 still has not been answered.)
For that reason, the Quest has chosen to run the story as it is and make updates and corrections as necessary in future coverage. We recognize the lack of independent confirmation on certain details weakens this story, but seeking it in those cases would, we believe, expose the paper and our sources to greater risk. This is an evolving situation, and we hope to be able to more thoroughly confirm such details in the future.
The Editors of the Reed College Quest