Stanford University executive leaves job after huge data breach

Stanford University in Stanford, Calif., Dec. 8, 2014. (Max Whittaker/The New York Times) Stanford University in Stanford, Calif., Dec. 8, 2014. (Max Whittaker/The New York Times) Photo: MAX WHITTAKER, NYT Photo: MAX WHITTAKER, NYT Image 1 of / 4 Caption Close Stanford University executive leaves job after huge data breach 1 / 4 Back to Gallery

The chief digital officer at Stanford University’s Graduate School of Business is out of a job days after campus officials revealed that the school had failed to disclose a huge data breach of personal information that came to light only after a student made it known.

Ranga Jayaraman, who also served as associate dean of the business school, sent a deeply contrite email to colleagues on Saturday morning and said he was leaving Stanford after six years on the job.

“I take full responsibility for the failure to recognize the scope and nature of the ... data exposure and report it in a timely manner to the dean and the University Information Security and Privacy Office,” Jayaraman wrote. “I would like to express my most sincere apologies ... to anyone whose personal information might potentially have been compromised.”

Stanford officials said Friday they have no evidence that personally identifiable information had been accessed.

A student in the business school discovered the massive glitch in February. Adam Allcock, an MBA student, alerted technology officials when he asked them questions about the data. Thousands of confidential student financial aid records were visible within the business school, as was employee information from 2008 — Social Security numbers, birth dates and salaries of nearly 10,000 employees and former employees — from mid-2016 through early March, when the tech team patched it.

Meanwhile, Allcock downloaded the financial-aid data and analyzed how the business school awarded scholarship money. As The Chronicle reported last week, Allcock’s study showed that despite the business school’s claim that it awarded tuition discounts only on the basis of student need, and never on the basis of merit, for years the school actually handed out deep discounts to non-needy applicants it hoped to attract: those with backgrounds in finance, for example, and women.

In October, Allcock presented his 378-page analysis to Jonathan Levin, the business school’s dean, alerting officials of the data breach for a second time.

This time, no one sat on the information. Stanford officials looked into the matter and did not dispute Allcock’s analysis. They also confirmed a separate data breach revealed last month by student reporters at the Stanford Daily who found that confidential files of more than 200 employees and alumni — including anonymous information from personal counseling sessions — had been visible to users at dozens of other college campuses.

On Friday, Stanford officials apologized for their poor handling of confidential information and sent thousands of notification letters to those affected. A day earlier, Levin, the business school dean, announced that the school will be “significantly more transparent” about how tuition discounts are awarded.

Allcock declined to comment Tuesday on the fallout of his discovery.

Jayaraman told The Chronicle that he never intended to deceive anyone by not telling the business school dean or campus officials about the data breach.

“A decision like that is always a judgment call,” he said. After the problem was patched in March, “I thought we’d done a detailed enough evaluation, and we didn’t hear there was super-sensitive information (disclosed), so I decided to let it go.”

Today, he said, he would make a different decision.

Nanette Asimov is a San Francisco Chronicle staff writer. Email: nasimov@sfchronicle.com Twitter: @NanetteAsimov