Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

University of Sydney failed to protect students: Privacy Commissioner

Report slams university over website security flaws dating back to 2007

An investigation by the Acting NSW Privacy Commissioner, John McAteer, into the University of Sydney's security breach in January has found that the institution failed to meet its obligations to students under the Privacy and Personal Information Protection (PPIP) Act of 1998 due to a series of security blunders.

According to the report (PDF), a similar security flaw on the university's website was first reported in 2007.

"The university repaired the code error that allowed unauthorised access to student records on the university’s website by way of introducing a security patch but when updates to the software were made later in 2007, the patch was not re-introduced into the system due to an oversight," McAteer said in a statement.

The university has since introduced a new software control system that mitigates the risk of this happening again.

"In a further briefing provided to staff of this office, the university explained that the flaw in January 2011 was not an outcome of the failure in 2007 to re-install the security patch," McAteer said.

"Section 12 of the PPIP Act imposes a positive obligation on the University to take all reasonably available security measures to ensure a student’s personal information recorded on the University’s web-accessible records through the many transactions students complete on-line does not become available to unauthorised persons and bodies."

McAteer said that the University should have been aware that it held sensitive personal information about thousands of people, which, if it fell into the wrong hands, could lead to potential physical and financial threats to them.

"The information leaks in January 2011 resulted from what can be simply described as a programming error that allowed access to student records directly from one’s Web browser without the need to enter a password," he said.

According to the commissioner, the flaw was "avoidable" and the University did not take the available steps to avoid the risk that the leaks would eventuate.

While the report found that the university did not meet its obligations under section 12 of the PPIP Act, McAteer said that it did respond to the breach of security with "urgency and effectiveness" and that there was no need to take further action.

Got a security tip-off? Contact Hamish Barwick at hamish_barwick at idg.com.au

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: University of Sydney, University of Sydney
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: privacy, security
Latest Blog Posts
Whitepapers
  • 5 Best Practices for Achieving Peak Performance in SAP Environments
    Given how deeply businesses rely on their SAP systems, it’s simple to see that maximizing performance and uptime is critical. What’s not so simple is figuring out how to understand, let alone optimize, performance in these complex, dynamic, and interrelated ecosystems. This paper offers five best practices that can help administrators more effectively measure and improve SAP performance.
    Learn more »
  • EMC 15-Minute Guide to Smarter Backup Transform your future
    Backup and recovery has become fundamental part of business and an essential element of information management. Information is useless to customers, employees, or business partners can't access it when it is needed. Availability and integrity of information, of the lack of, can directly impact revenues and profits - as well as company reputations. Read more.
    Learn more »
  • Spear Phishing Attacks - Why they are successful and how to stop them
    There's been a rapid shift from broad, scattershot attacks to advanced target attacks that have had serious consequences for victim organisations. The increased use of spear phishing is directly related to the fact that it works, as traditional security defences simply do not stop these types of attacks. This paper provides a detailed look at how spear phishing is used within advanced attacks and the key capabilities organisations need in order to effectively combat these emerging and evolving threats.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments