Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

University of Sydney failed to protect students: Privacy Commissioner

Report slams university over website security flaws dating back to 2007

An investigation by the Acting NSW Privacy Commissioner, John McAteer, into the University of Sydney's security breach in January has found that the institution failed to meet its obligations to students under the Privacy and Personal Information Protection (PPIP) Act of 1998 due to a series of security blunders.

According to the report (PDF), a similar security flaw on the university's website was first reported in 2007.

"The university repaired the code error that allowed unauthorised access to student records on the university’s website by way of introducing a security patch but when updates to the software were made later in 2007, the patch was not re-introduced into the system due to an oversight," McAteer said in a statement.

The university has since introduced a new software control system that mitigates the risk of this happening again.

"In a further briefing provided to staff of this office, the university explained that the flaw in January 2011 was not an outcome of the failure in 2007 to re-install the security patch," McAteer said.

"Section 12 of the PPIP Act imposes a positive obligation on the University to take all reasonably available security measures to ensure a student’s personal information recorded on the University’s web-accessible records through the many transactions students complete on-line does not become available to unauthorised persons and bodies."

McAteer said that the University should have been aware that it held sensitive personal information about thousands of people, which, if it fell into the wrong hands, could lead to potential physical and financial threats to them.

"The information leaks in January 2011 resulted from what can be simply described as a programming error that allowed access to student records directly from one’s Web browser without the need to enter a password," he said.

According to the commissioner, the flaw was "avoidable" and the University did not take the available steps to avoid the risk that the leaks would eventuate.

While the report found that the university did not meet its obligations under section 12 of the PPIP Act, McAteer said that it did respond to the breach of security with "urgency and effectiveness" and that there was no need to take further action.

Got a security tip-off? Contact Hamish Barwick at hamish_barwick at idg.com.au

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: University of Sydney, University of Sydney
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: privacy, security
Latest Blog Posts
Whitepapers
  • Mastering Backup and Restoration
    A backup strategy should not be static. Rather, it should establish a platform for a business to deliver continuous improvement through faster backup and restore features, easier management, lower operating expenditure, reduced complexity and delayed capital investment. These will in turn support greater business competitiveness. Read on.
    Learn more »
  • There is a HP Printer for everyone
    The following printer categories are highly recommended for the respective customer segments. While these printer categories remain as the primary recommendations, you will find alternative models listed in the product line up charts.
    Learn more »
  • High Availability with Oracle Database 11g Release 2
    In this paper, we review the common causes of application downtime and discuss how technologies available in the Oracle Database can help avoid costly downtime and enable rapid recovery from unplanned failures and also minimize impact from planned outages. We also highlight new technologies introduced in Oracle Database 11g Release 2 that enable businesses to make their IT infrastructure even more robust and fault tolerant, maximize their return on investment on high availability infrastructure, and provide better quality of service to users.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments