Major data breach at the University of Tasmania
September 22, 2020 |
After the major data breach at the Australian National University which was probably caused by interference by a state actors one would have thought universities in Australia would review their data security practices, do some stress testing and monitor access points to their databases. Maybe some did, but it is certain that the University of Tasmania didn’t. Or didn’t worth a damn. The Australian, in Serious data breach hits 20,000 Uni of Tasmania students, prompting credit, privacy concerns, reports on a very serious data breach where the personal information of, 19,900, students including their ethnicity, any disabilities and results. The information was available for accessing by other students between 27 February and 11 August, 2020. Unlike the data breach at the Australian National University, (see my post here) which involved a sophisticated cyber attack by a foreign player, the source of the data breach was incorrect configuration of settings for the Sharepoint database.
It is interesting, and begs more than a few questions, as to why the University would wait from 11 August, when the data breach was discovered, until 21 September when it was made public and students were notified. It is longer than the 30 day limit under Australia’s mandatory data breach notification laws and much much longer than the EU obligations. It is much longer than most United States state jurisdictions. That is a significant error in responding to the breach. What many organisations and institutions fail to appreciate is that what has been compromised is not their material, but the personal information of others which those bodies have collected. Those affected individuals should be the first priority. It rarely works out that way, hence the need for mandatory data breach notification laws.
Once the University made the announcement the response was quite good by Australian standards. The university seems to be candid in explaining how the data breach arose, how long it occurred and what mitigation has taken place.
The University issued a short press release:
The University of Tasmania has today contacted students whose personal information was inadvertently made accessible to all users with a utas.edu.au email address.
The data, which is used to inform the ways the University supports students in their studies, contained personally identifiable information of 19,900 students.
There is no evidence this data breach was the result of malicious activity. Security settings on shared files were unintentionally configured incorrectly, which made the information visible and accessible to unauthorised users.
University of Tasmania Vice-Chancellor Professor Rufus Black said the University had responded quickly to secure the information and engaged independent experts to assist.
“We have undertaken a thorough review of how this information became accessible and took immediate steps to ensure it is secure,” Professor Black said.
“This morning, we contacted every student affected by this incident to explain what had happened, to apologise, and to offer support.”
The University has established a dedicated support line – 1800 019 897 – to assist students with any questions or concerns about their personal information. Experts in national identity and cyber support services IDCARE have also been engaged to provide independent advice and support to students, including dedicated case managers who work with individuals to develop tailored response plans.
The privacy regulator, the Office of the Australian Information Commissioner, has been notified.
The Vice Chancellor has issued a statement
Dear colleagues and students,
As you may be aware, we have experienced a recent incident where some of our students’ personal information was inadvertently able to be accessed by all users with a utas.edu.au email address. These files contain personally identifiable information of a number of enrolled students.
On behalf of the University I sincerely apologise to all students who have been affected by this incident. Please be assured that we take the management of your personal information extremely seriously. We have undertaken a thorough review of how this information became accessible and have taken immediate steps to ensure it is secure.
We are deeply committed to ensuring all of our students are supported to be successful in their studies. The data that was accessed is used to inform the support initiatives the University has in place and to facilitate engagement with students for this purpose.
We have established a dedicated support line – 1800 019 897 – to assist students with any questions or concerns about their personal information. The support line will be open between 7am and 7pm from Monday to Friday.
We have also engaged IDCARE – experts in national identity and cyber support services – to provide further independent advice and cyber support to students, including dedicated case managers who work with individuals to develop tailored and personalised response plans.
Again, I sincerely apologise to all students who have been affected by this incident and I encourage anyone with concerns or questions about potential misuse of their personal information to contact the support line as soon as possible.
Kind regards,
and more information
What happened?
On 11 August 2020 the University became aware that electronic files stored on one of the SharePoint sites on the Office365 platform were inadvertently able to be accessed by individuals with a University of Tasmania email address.
The security settings for this SharePoint site were unintentionally configured incorrectly.
This meant that individuals with a utas.edu.au email address not authorised to access documents saved in the site, were inadvertently granted access.
Files stored on this site were made visible to individuals when they logged in to the University’s Office365 system. Some files were made visible as a result of the “Delve” application within the Office365 platform. Delve displays content to users based on access privileges, and automatically displays certain files to users.
This was the result of incorrect configuration. There is no evidence this data breach was a result of malicious activity. The system has now been correctly configured.
The relevant files contain personally identifiable information in relation to approximately 19,900 currently enrolled students in 2020.
Students whose data could have been accessed due to the breach have been notified by email on Monday 21 September 2020.
Who can I contact to find out more information?
The University of Tasmania has established a dedicated support line to assist with any questions in relation to this incident – 1800 019 897. Any student or staff member with questions is encouraged to please call the support line using their unique reference number.
For anyone impacted who is concerned about their safety as a result of the exposure of contact information, such as survivors of family and domestic violence, they can contact IDCARE who will inform them of their options in relation to accessing additional external support services.
IDCARE are a third party identity and cyber support service with dedicated Case Managers who can work with them confidentially to develop tailored and personalised response plans.
As almost always the case the media coverage has been extensive, damning and damaging for the University with the ABC’s piece Data breach at University of Tasmania affects 20,000 students, Nine News being a bit more dramatic with University of Tasmania IT bungle leads to mass student data breach and Nambucca Guardian’s Data leak hits 20k Tasmania uni students, amongst many other pieces.