[BreachExchange] Extraordinary blunder results in the private details of almost 20, 000 Australian university students leaked online in massive data breach

Destry Winant destry at riskbasedsecurity.com
Mon Sep 21 10:28:28 EDT 2020


https://www.dailymail.co.uk/news/article-8754721/Private-details-20-000-Australian-university-students-leaked-online-massive-data-breach.html

Personal information belonging to almost 20,000 University of Tasmania
students was mistakenly made public for more than five months due to
security settings being configured incorrectly.

Affected students were on Monday informed of the breach, which made
their data available to anyone with a UTAS email address from late
February to August 11.

UTAS says analysis of the files has revealed a 'number of users' with
university emails have accessed the information.

About 20,000 pupils of the University of Tasmania (pictured) were on
Monday informed their personal details were mistakenly made public for
more than five months

The data, which contains personally identifiable information, is used
to inform how the university supports students in their studies, UTAS
says.

Bank account details were not part of the data breach.

'Security settings on shared files were unintentionally configured
incorrectly, which made the information visible and accessible to
unauthorised users,' the university said in a statement.

The university says it became aware of the breach on August 11 and has
engaged independent experts to assist.

The breach was due to security settings being configured incorrectly -
allowing people with a UTAS email to access the information from
February to August 11. Picture: A woman studying

The information made publicly available contained personally
identifiable data, used to inform how the university supports the
students in their studies. Bank account details were, however, not
part of the data breach. Pictured: University students studying

'I sincerely apologise to all students who have been affected by this
incident,' University of Tasmania Vice-Chancellor Rufus Black said.

'We have undertaken a thorough review of how this information became
accessible and took immediate steps to ensure it is secure.'

UTAS is in the process of contacting people who accessed the data and
has 'sought assurance' that the files, or screenshots or shared copies
of the files, have been permanently deleted.

Vice-Chancellor Professor Rufus Black added every student affected was
on Monday contacted 'to explain what happened, to apologise, and to
offer support.' He said the university (pictured) engaged independent
experts to assist in securing the information

Information belonging to the 19,900 students was made public through
Microsoft Office365 platform SharePoint, which is used to store, share
and access files.

Access privileges were incorrectly configured on an Office365
application, which displays content to users based on those
privileges.

'There is no evidence this data breach was a result of malicious
activity,' UTAS said.

'The system has now been correctly configured.'

UTAS has set up a hotline for students with questions or concerns.


More information about the BreachExchange mailing list