Acting Privacy Commissioner John McAteer has finished an inquiry into the exposure of student data at the University of Sydney earlier this year, finding that the error that enabled data to be freely accessed was avoidable, and that, therefore, the university had not met its obligations to protect its students' data.
The inquiry was launched after the McAteer learned that University of Sydney student data was exposed on the web, with anyone able to access student names, addresses, the subjects students were enrolled in and fees payable, without requiring a password. The flaw was not a new vulnerability, but one that had been identified and previously dealt with in 2007.
The issue was brought to the attention of the university in February 2007, and while the loophole was patched at the time, the Sydney Morning Herald pointed out in January this year that it was again vulnerable.
At that time, the university's vice-chancellor and principal, Michael Spence, wrote to students and staff of the university, stating that, "as a result of a software update, the security patch was inadvertently removed without anyone becoming aware of its function in protecting the security of student records".
After engaging a security consultancy firm to investigate the issue, the university discovered an additional risk for information leaks, which was promptly secured.
In the report, first noted by the Sydney Morning Herald, McAteer said that communities should be able to expect large corporations and public sector agencies to be more aware of information security risks and have vigilant breach prevention programs, and that the university had not met its obligations under the Privacy and Personal Information Act 1998.
His view of the breach was that "with appropriate testing, the flaw was avoidable and the university had not taken reasonably available steps to avoid the risk that the leaks would eventuate".
Since closing off the loophole, the university has developed a software control system that ensures its software code repository always associates software components with their associated updates and security patches. It has also implemented additional security measures, including further security reviews and penetration testing. As a result, McAteer said that "the university responded to being informed of this breach of security with urgency and effectiveness", and that "there is no need to take further action in relation to this investigation".