Australian universities using the ProctorU online exam monitoring tool are included in a data breach affecting 444,000 users of the platform.
The breach, first reported by Bleeping Computer, is among a number of databases being published to a hacker forum, exposing over 385 million user records since July 21st.
ProctorU was one of 18 companies with data exposed in the release, which contained records belonging to University of Sydney staff, that university’s Honi Soit student publication reported.
The data contains usernames, unencrypted passwords, legal names and full residential addresses, belonging to a number of Australian universities, including the Group of Eight’s University of Sydney, University of NSW, University of Queensland, University of Melbourne, University of Western Australia, and University of Adelaide, as well as Swinburne University, James Cook University, and Curtin University, Honi Soit said.
A spokesperson for the University of Sydney told iTnews the university met with ProctorU’s CEO and compliance officer today, “who confirmed they are investigating a breach of confidential data relating to users of their service”.
“We understand the data relates to people who were registered as users of ProctorU’s services on or before 2014," the spokesperson said.
“We don’t believe our current students are directly impacted by this breach as we began using ProctorU’s online proctoring services in 2020, in response to the COVID19 pandemic.
"Any breach of security and privacy of this type is of course deeply concerning and we will continue to work with ProctorU to understand the circumstances of the breach and determine whether any follow-up actions are required on our part."
The University of Melbourne, meanwhile, said it “is aware of a cyber security issue involving ProctorU and is investigating the matter".
Swinburne University is also investigating the matter.
“At this stage, we understand that only a small number of Swinburne Online students have been impacted, and have commenced our own independent investigation,” a spokesperson told iTnews.
“Swinburne Online is proactively contacting the student community to inform them of the breach and advising them to update their security details.
“The safety, wellbeing and privacy of Swinburne students and staff is our priority and we will continue to inform our community of any updates to this situation.”
A spokesperson from UNSW also told iTnews the organisation has been advised that no records relating to the university were contained within the database, and therefore its data was not affected.
The University of Queensland said “ProctorU confirmed to the University that our data has not been obtained”.
Curtin University, meanwhile, said it was "aware of a cyber-security incident involving ProctorU" and that its IT Security teams were "working with the Australian Cyber Emergency Response Team (AusCERT) to ascertain the details."
Representatives from the University of Adelaide and the University of Western Australia told iTnews they are unaffected by the ProctorU breach as they do not use the platform.
James Cook University similarly does not use ProctorU, but is working with AusCERT and the Council of Australasian University Directors of IT (CAUDIT) to analyse the situation.
ProctorU is just one of many online exam invigilation platforms being used in the Australian higher education sector.
While some universities had been trialling online exams for some time, often with strong support from students studying remotely, many institutions rapidly introduced the platforms in the face of the COVID-19 health crisis.
The rushed nature of the deployment in some institutions prompted student groups at the likes of the Australian National University, University of Sydney and University of Technology Sydney to voice concerns over the privacy and security implications of remote invigilation platforms.
The University of Sydney said that students' experiences with remote learning will be used to inform its strategy going forward.
"We’ll also review our experience of online exams and proctoring this year to inform our approach to assessments in 2021," it said.
ProctorU has been contacted for comment.