A vulnerability in the myWSU mobile application that allowed log-ins using incorrect or expired passwords has been corrected and Washington State University has notified the 3,777 students who may have been impacted.
No indication of criminal or other harmful activity associated with the vulnerability has been detected. The mobile application does not contain bank account information, social security numbers, birth dates, driver’s license numbers or student identification numbers.
However, there was information available that is protected under the Family Educational Rights and Privacy Act (FERPA), including:
- First and last names
- Schedule of classes
- Grades and grade-point average
- Holds and to do items
- Financial aid award information for current and previous years (dollar amount only)
- Current student account balance (dollar amount only)
None of these items can be manipulated by a user through the mobile application, nor can it be used to access additional information, except for the ability to add or drop classes.
The vulnerability was discovered Oct. 22, 2018 and was caused by an operating system upgrade on Feb. 24, 2018. In addition to resolving the problem, WSU has strengthened its testing procedures when performing service upgrades.
The university also will be implementing multi-factor authentication, an enhanced method of confirming a user’s identity, which will greatly reduce the risk of these types of incidents from reoccurring.