What We Know So Far
A software vulnerability in Reed College’s IRIS system has exposed the ID numbers of all students, faculty, and staff, as well as some alumni information. This vulnerability would potentially allow bad actors to clone the ID card of any Reed community member and use it as they please. This includes unrestricted access to any Reed building and any students’ bookstore account and board point plan, etc.
Independent Quest confirmation has revealed that this vulnerability was known by students since at least January 2023, and that the IT department did not become aware of the vulnerability until this past spring. Despite first being alerted to the flaw’s existence in May, the IT department did not close the initial vulnerability until September 2023, after being notified that the Quest had become aware of this development. Since first publication, we have learned from independent sources that a fix originally planned for May 2023 was halted over budget concerns. Additionally, users were previously able to download ID information, meaning that even if the system is sufficiently patched, personal ID information remains at large.
Summer 2023 Plan to Fix Systems Security Flaw Halted by Administration Over Budget Concerns, Say Sources Within IT
According to leaked documents obtained by the Quest, the Reed IT Department was moving forward with plans to fix the systems flaw reported by the paper in late September — which exposed the campus IDs of all students, staff, faculty, and alumni — as early as May 2023, but was prevented from doing so over budget concerns. Students had given the department “plenty of time,” to fix the issue, one IT professional reportedly said in…
Editors’ Note: The following story was scheduled to appear in print and online on Friday, September 29. On September 22, The Quest alerted IT in good faith that the article would go to print the following week to give the department time to fix the massive security vulnerabilities detailed within. Forty minutes ago, IT sent an email to all Reed community members minimizing the seriousness of those vulnerabilities in a seeming attempt to get ahead…
Dear readers, Last night the Quest published a series of investigative stories detailing several significant vulnerabilities in the college’s systems that unintentionally exposed the Reed ID numbers of hundreds of students, staff, faculty, and — bizarrely — alumni. Those stories have been in the works since an anonymous source initially contacted the Quest during the first week of September, and were in fact delayed several times to give Reed’s IT department time to fix the…
Reed Reactor is Thoroughly Protected, New Source Confirms September 29, 1:04 PM Quest reporters were approached by a new anonymous source associated with the Reed reactor, who was more willing to speak to the details of reactor security than those previously contacted by the paper. The Quest can now independently confirm that the Reed Research Reactor is protected from the flaws described here, and ID card duplication would pose no risk to the reactor. This…
The following email was sent after the Quest alerted the IT department that our coverage of this issue would be published on Friday, September 29. That coverage is now live on our website. Subject Line: Reed ID vulnerability background From: Valerie Moreno, Chief Information & Security Officer September 28, 2023 Dear Reed community, I’m writing to provide an update on a cybersecurity issue addressed by Reed IT last spring. In April, one of our IT…
Reed Reactor is Thoroughly Protected, New Source Confirms
September 29, 1:04 PM
Quest reporters were approached by a new anonymous source associated with the Reed reactor, who was more willing to speak to the details of reactor security than those previously contacted by the paper. The Quest can now independently confirm that the Reed Research Reactor is protected from the flaws described here, and ID card duplication would pose no risk to the reactor. This is in line with our previous reporting, which stated that the reactor was “at least somewhat protected,” but we can now confirm that statement to a much stronger degree.
New Vulnerability Continues to Expose PIDMs for All Users
September 29, 9:53 AM
Quest sources have independently confirmed a new vulnerability that continues to expose PIDM numbers for all students, staff, and faculty in the campus directory, which has not been patched by IT and is still active. The Quest will not print the details of an active vulnerability, but is alerting IT to the details of the issue now.
IRIS Was Built At Least Partially Internally, Quest Confirms
September 28, 11:05 PM
The Quest is now comfortable confirming that at least large sections of the IRIS system and other affected systems were developed in-house at Reed, rather than being purchased from a third party software company.
First Student Knowledge of Directory Flaws Pushed Back Further to November 2022
September 28, 8:53 PM
Student Tucker Twomey said in an interview with the Quest that he had become aware of the autocomplete bug — which printed PIDMs for all users in the database — as early as November 25, 2022. On February 11, 2023, he first discovered that Student ID numbers could be easily calculated from PIDM numbers. He did not alert the IT department, and was aware of no earlier alert prior to the May notification already reported by the Quest. Twomey said he regretted not bringing the issue to IT immediately, but attributed it to a belief that the college “wouldn’t do much about it,” and a concern that he might suffer disciplinary action for having discovered and tested the hole in security. Twomey was also able to confirm that the flaw remained open at the end of the 2022-23 school year.
This extends the minimum time period during which some degree of vulnerability in the system remained open to nine and a half months — November 2022 to September 16, 2023.
New Information Pushes Earliest Date of Student Access to IDs to January 2023
September 28, 7:31 PM
Since the Quest’s initial coverage of a vulnerability in Reed’s systems was published, a source contacted the paper to say that they and at least one other Reed student had knowledge of that flaw as early as January 2023. This means that the vulnerability was accessible to any user for at least eight months before it was fixed by IT in September 2023, after being contacted by the Quest. That student did not alert IT to the vulnerability, so the department’s earliest date of knowledge remains at either April 2023 (as claimed in their email to students) or May 2023 (as independently confirmed by anonymous sources in conversation with the Quest.)