A US Customs and Border Protection (CBP) recruiter exposed the sensitive information — including visa status — of more than 1,300 students and alumni from the Washington, DC–based American University following a May 15 virtual career fair.
The incident raises serious concerns about how information is shared between universities and job recruiters — including those from CBP — especially as students navigate the job market online amid the coronavirus pandemic.
Registrants were asked to provide the usual information: which employers they wanted to virtually meet, a student ID number, an email address, a phone number, and whether they required visa sponsorship for employment. They expected the university to pass on that information to recruiters representing those companies in which they had expressed interest.
What they did not expect was that the career fair organizers contracted by the university would pass on that information to employers they did not want to meet, like the CBP recruiter in attendance.
Just a few dozen registrants expressed interest in the CBP. Nevertheless, according to the Rival, an online student-run paper, a CBP recruiter received information on every person who registered for the event — and inadvertently leaked it.
The privacy breach was revealed by accident. Following the event, the CBP recruiter, Roman Jacquez, sent an email to the registrants who had expressed interest in the agency. It appears that Jacquez forgot to remove an attachment in the email, which included a spreadsheet containing personal data on the more than 1,300 registrants — including their visa status.
American University had partnered with CareerEco, a company that hosts virtual recruiting events, for the May 15 career fair. Notably, CareerEco made clear on their own website that they provide all potential employers with “unlimited access to all registered candidates’ information,” which university officials would likely have known had they viewed the company’s website before agreeing to work with them for this event.
‘‘People need to be mindful of what information is getting into the government’s hands.” —Gadeir Abbas, senior litigation attorney for the Council on American-Islamic Relations
When asked about how it shares information with employers and whether it informs event coordinators of these policies, CareerEco declined to comment because the company “strictly [serves] as the platform for hosting organizations.”
This breach highlights what appears to be an error on the part of the university officials who allowed students’ information to be so broadly shared.
Students raised concerns that, although they were asked to note which employers they wanted to speak with, their personal information was nevertheless shared with all 111 employers in attendance — including the CBP recruiter.
Some students have expressed concerns that CBP’s information on immigration status may reach Immigration and Customs Enforcement (ICE) and could result in some AU students being detained or even deported.
AU officials, however, downplayed the seriousness of the leak and appeared to shift the blame to the CBP recruiter who shared the information.
“While unfortunate, one mistaken email from a recruiter does not change the positive outcomes that the fair [offered] the AU students and alumni who participated,” AU spokesperson Natasha Abel told another student paper, the Eagle. “We have heard from many attendees who shared their appreciation for the opportunity to connect with so many employers at a difficult time.”
Abel said that university officials would “make every effort” to prevent similar incidents from happening at its career fair in the fall.
As of Friday evening, the university had yet to inform the entire student body of the data breach. Those who did receive the original email from the CBP recruiter were subsequently asked to delete the email containing the spreadsheet, according to the Rival.
Gadeir Abbas, senior litigation attorney for the Council on American-Islamic Relations, questioned whether other universities allow CBP to access this kind of information. University officials could have prevented this privacy breach, Abbas said, if they had limited employers’ access to the information of only students who explicitly wanted to speak with them.
Some student groups raised concerns about how close the university is with the US Department of Homeland Security (DHS) — which runs CBP — both in its dealings and proximity (DHS’s headquarters is located across the street from AU’s campus).
Some universities are starting to ban CBP recruiters from career fairs — the University of Washington at Tacoma told CBP that it was “unwelcome” at its winter career fair earlier this year because students felt unsafe.
“It doesn’t look like the federal government intended to do this, but they shouldn’t have had this information in the first place,” Abbas told WhoWhatWhy.
“People need to be mindful of what information is getting into the government’s hands.”
American University has a relatively small student population compared to other nearby universities, but it also has a sizable international student population. Some student groups raised concerns about how close the university is with the US Department of Homeland Security (DHS) — which runs CBP — both in its dealings and proximity (DHS’s headquarters is located across the street from AU’s campus).
AU College Democrats condemned the incident in a statement as demonstrating a “complete disregard for students’ safety.” The group is calling on the university to sever its ties with CBP and ban the agency from all university functions moving forward, Brooke Frischer, communications director for AU College Democrats, told WhoWhatWhy in an email.
“Unfortunately, due to this detrimental misstep on AU’s part, the information leaked is now in the hands of CBP and the 1,300 students that were recipients of attendees’ information,” Frischer said.
“AU must act in order to protect our fellow students and communities now at risk due to their harmful decision to include CBP in this career fair in the first place.”
A spokesperson for CBP told the Eagle that it “takes its privacy responsibilities very seriously,” and took immediate steps upon learning about the incident to “ensure it was being appropriately investigated and contained.”
The school also made headlines in 2018 when it was revealed that Russian operative Maria Butina was able to pursue graduate studies at American University’s School of International Service, where she went undetected while working on a sensitive cybersecurity project. Butina was later arrested for her efforts to infiltrate conservative groups in the US, and pled guilty to having conspired to act as an agent of a foreign government.
Some students view the administration’s recent failure to maintain their privacy as yet another oversight for which the university should be held accountable.
Abbas argued that there was no need for CBP to have information about people who had not even expressed interest in working for the agency, and said that the fact that career fair participants’ information made its way to CBP reflects “reckless planning on the part of American University.”
“CBP’s ‘whoopsies’ is what brought American University’s mistake to light,” he said. “American University has a lot of responsibility for what happened here.”
Related front page panorama photo credit: Adapted by WhoWhatWhy from Ryan Kelly / Flickr (CC BY-SA 2.0).