University of Sydney failed to protect students: Privacy Commissioner
- 29 June, 2011 11:43
- Comments
An investigation by the Acting NSW Privacy Commissioner, John McAteer, into the University of Sydney's security breach in January has found that the institution failed to meet its obligations to students under the Privacy and Personal Information Protection (PPIP) Act of 1998 due to a series of security blunders.
According to the report (PDF), a similar security flaw on the university's website was first reported in 2007.
"The university repaired the code error that allowed unauthorised access to student records on the university’s website by way of introducing a security patch but when updates to the software were made later in 2007, the patch was not re-introduced into the system due to an oversight," McAteer said in a statement.
The university has since introduced a new software control system that mitigates the risk of this happening again.
"In a further briefing provided to staff of this office, the university explained that the flaw in January 2011 was not an outcome of the failure in 2007 to re-install the security patch," McAteer said.
"Section 12 of the PPIP Act imposes a positive obligation on the University to take all reasonably available security measures to ensure a student’s personal information recorded on the University’s web-accessible records through the many transactions students complete on-line does not become available to unauthorised persons and bodies."
McAteer said that the University should have been aware that it held sensitive personal information about thousands of people, which, if it fell into the wrong hands, could lead to potential physical and financial threats to them.
"The information leaks in January 2011 resulted from what can be simply described as a programming error that allowed access to student records directly from one’s Web browser without the need to enter a password," he said.
According to the commissioner, the flaw was "avoidable" and the University did not take the available steps to avoid the risk that the leaks would eventuate.
While the report found that the university did not meet its obligations under section 12 of the PPIP Act, McAteer said that it did respond to the breach of security with "urgency and effectiveness" and that there was no need to take further action.
Got a security tip-off? Contact Hamish Barwick at hamish_barwick at idg.com.au
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Bookmark this page
- Share this article
- Got more on this story? Email CIO
- Follow CIO on twitter
- Advanced Malware Exposed - How advanced malware, zero-day and targeted APT attacks are evading today's network defences
- Spear Phishing Attacks - Why they are successful and how to stop them
- Managing IBM License Complexity
- Protecting Against the Leading Causes of Data Breach
- Strategy to Success Framework: Investigate to Invest
-
Google Jumps Into Social Bookmarks Game
-
NBN build gaining momentum daily: Quigley
-
Face Time - Interview with John Brennan and Robert DiStefano
-
Monday Grok: Will Siri crack the walls of GOOG?
-
Face Time - Interview with John Brennan and Robert DiStefano
-
5 Best Practices for Achieving Peak Performance in SAP Environments
Given how deeply businesses rely on their SAP systems, it’s simple to see that maximizing performance and uptime is critical. What’s not so simple is figuring out how to understand, let alone optimize, performance in these complex, dynamic, and interrelated ecosystems. This paper offers five best practices that can help administrators more effectively measure and improve SAP performance. -
EMC 15-Minute Guide to Smarter Backup Transform your future
Backup and recovery has become fundamental part of business and an essential element of information management. Information is useless to customers, employees, or business partners can't access it when it is needed. Availability and integrity of information, of the lack of, can directly impact revenues and profits - as well as company reputations. Read more. -
Spear Phishing Attacks - Why they are successful and how to stop them
There's been a rapid shift from broad, scattershot attacks to advanced target attacks that have had serious consequences for victim organisations. The increased use of spear phishing is directly related to the fact that it works, as traditional security defences simply do not stop these types of attacks. This paper provides a detailed look at how spear phishing is used within advanced attacks and the key capabilities organisations need in order to effectively combat these emerging and evolving threats.

















Comments
Post new comment