Physics major Owen Mitchem said he was able to inadvertently access confidential information, including the Social Security numbers of more than 3,500 public university employees around the state, last fall, including of the university’s president and its football coach, the highest-paid public employee in the state. He says the breach should have been a wake-up call for the university to tighten its online security.
But according to an email the university provided to The Oregonian/OregonLive in response to a public records request, the university’s associate dean of students, Dianne Tanjuaquio, concluded that Mitchem’s actions violated the school’s policies on “acceptable use of computing resources.” She required him to write a 750-word essay reflecting on the situation; if not completed, he could face a suspension of his student account, preventing him from registering for classes or changing his course schedule.
Mitchem says he was just searching in Microsoft Teams for some budget figures for the physics club he ran when he stumbled across a spectrum of university financial documents, visible via files on SharePoint, a Microsoft tool that can be integrated with Teams. They seemed harmless at first glance, he told The Oregonian/OregonLive, but not something his student email permissions should have allowed him to view.
Mitchem alerted a physics department grants technician and assumed the wide access would be quickly corrected. He later found out that the technician hadn’t alerted the university’s information department, meaning that unbeknownst to him, the IT department remained unaware of the security lapse, Mitchem said via email.
A week later, he said, he and a graduate student friend checked to make sure that the information had in fact been locked down.
It hadn’t, he wrote in an email to The Oregonian/OregonLive.
“Given that it had been a week since I thought the issue had been reported, we assumed that (all records they still could find) were documents that we were supposed to have access to, so we decided to poke around,” Mitchem wrote.
He says they entered an asterisk as their search term and filtered to find Excel files.
That yielded even more information that should have been private, Mitchem said.
He could see graded assignments. Confidential donor logs. Tenure evaluation reports. Details of faculty medical leave requests. Passwords for university-run social media accounts.
The pair were also able to see a retirement plan report that included Social Security numbers for 3,692 employees from all seven of Oregon’s public universities, and alarm bells went off. (The University of Oregon manages retirement plans for all of Oregon’s public universities.)
Mitchem’s friend, who was serving as the treasurer for the Graduate Teaching Fellows Federation at the time, wrote to leaders of the faculty union, telling them that “something was badly wrong with UO’s Teams permissions,” according to a copy of the email sent last Halloween. He included a link to the document that listed thousands of Social Security numbers.
(The friend also used the information to send two disparaging tweets about the university’s treatment of its graduate student workforce from the official social media account for its development department. He later admitted to university investigators that he had done so without Mitchem’s knowledge, according to the disciplinary report the university provided to the newsroom. University officials contend that Mitchem nevertheless bore some blame for helping alert his friend to the existence of the documents in the first place.)
By the next day, the document with all the Social Security numbers had vanished. The university subsequently notified every person on that list of the breach and offered them a complimentary one-year membership to an identity protection service.
But Mitchem’s troubles were just beginning.
In his mind, he had done the university a favor by alerting it to its security lapse.
In the mind of university officials, however, he had violated the university’s policies on acceptable use of computing resources, discipline records show.
They were unconvinced by his argument that anyone would have been curious to see whether the information was still available, and believed that his account of how he had inadvertently come across the records “did not match the digital footprint of his discovery,” said Angela Seydel, a university spokesperson.
Tanjuaquio, the associate dean of students, told him university officials were concerned about his “decision-making process.”
“I have determined that there is sufficient information to find that you engaged in the unauthorized access to documents located in SharePoint, and continued to search for and access documents even after the potential security breach was reported to the University,” Tanjuaquio wrote to Mitchem.
Mitchem’s punishment was to write a 750-word reflection on the entire affair, in which he was asked to reflect upon “What do you think you need to do to make things right?” and “What has been the most difficult thing for you?” about the experience.
He never submitted the essay, he told The Oregonian/OregonLive Wednesday. Instead, he said, he told university officials, “as I am no longer a student at the University of Oregon, I will not be submitting a reflection paper. Enjoy placing a hold on my account. Best, Owen.”
Meanwhile, José Dominguez, the university’s chief information security officer, has been working for several years on an update to the school’s acceptable use of technology policy, which is expected to go to the school’s Policy Advisory Committee for a final adoption this fall. A draft of the updated policy would expressly prohibit any attempt to locate data on the University of Oregon’s network for which “the user does not possess a justifiable business reason for attempting access.”
The ways in which users can run into trouble under the new policy include searching messaging tools, like Teams, for data, as Mitchem did. The new policy is still under review, after feedback from community members, Seydel said.
Such an update, Mitchem said, could make it less likely that future students who come across unsecured data, as he did, will report it to authorities.
“This new policy plainly discourages future reports of this type of negligence,” he said.
Ken Westin, a Portland-based senior solutions engineer for the security operations platform LimaCharlie, said it sounded as though Mitchem had tried to handle the whole situation responsibly and should not be “scapegoated” for any holes in the institution’s security system.
“He actually did them a favor by notifying them” when it became clear that the first report hadn’t fixed the problem, Westin said. “If the university isn’t able to protect personally identifiable information, that is a serious concern.”
Seydel said that the university’s information technology staff has since done a sweep of what information is accessible on shared platforms and also tried to educate users on how they can better protect their information.
“The UO system contains thousands of documents, and each individual is responsible for the accessibility protection they place on the documents saved and shared,” she said. “Under the acceptable use policy, users are also asked to understand that, at times, they may come across information outside of their scope of need. They are asked to respect the fact that they do not have a need to access that document nor share it with others.”
But such a policy should not be punitive towards those who investigate and report on problems, like Mitchem, said Westin, the security expert.
“For them to punish him sets a precedent for other students that could identify vulnerabilities,” Westin said. “Other students are going to be afraid to come forward.”
©2025 Advance Local Media LLC. Distributed by Tribune Content Agency, LLC.
