[BreachExchange] Education services provider confirms data breach

Destry Winant destry at riskbasedsecurity.com
Wed Jul 3 05:43:58 EDT 2019


https://www.computerworld.com.au/article/663595/education-services-confirms-data-breach/

Data from a student management system was exposed by an open S3
bucket, an Australian training company has confirmed.

According to MEGT there is an ongoing investigation into the breach,
reported byComputerworld last week.

The breach affected international students enrolled with Ability
English and MEGT Institute. The data itself was being managed by
student information system provider Tribal Campus.

MEGT said that there is no indication from Tribal that data relating
to its apprenticeship or group training operations had been affected.

In addition to working with Tribal Campus to investigate the breach,
MEGT said it has commissioned an internal cyber security review.

The MEGT data is believed to have included student contact information
details, identification details, educational data, transaction data,
health data and passport and visa details, according to the company.

The open S3 bucket was closed off after UK privacy advocate Gareth
Llewellyncontacted the Australian Signals Directorate.

Llewellyn has previously revealed a number of Australian data breaches
involving S3, including thousands of resumes and cover letters being
exposed by a psychometric assessment service. He also attempted to
alert property valuation firm LandMark White that a range of its
client data was exposed.

“While the data which has been breached was being managed by a third
party, we are totally committed to the welfare of our students and
understand that we need to do everything in our control to manage the
implications for those who have been affected,” a statement issued by
MEGT said.

“We will do everything we can to minimise the impact on them and have
already notified the vast majority of those who have so far been
identified as impacted.”

“At this early stage neither we, nor the cyber experts examining the
details, can determine if any data has fallen into the wrong hands.
What we do know right now is that data, which should have always been
held securely, was in fact publicly accessible, and that is totally
unacceptable to us,” MEGT acting CEO Bridie Gildea said.

“We take data security and student privacy very seriously and this
security failure is our top priority. We apologise unreservedly to
those who have been impacted by this incident, it will remain our top
priority until it is fully resolved. We also undertake to keep
students, staff and stakeholders abreast of any developments.”


More information about the BreachExchange mailing list