Misconfigured UTAS SharePoint site exposed 20,000 students' details

A misconfigured SharePoint site led to the exposure of files containing the personal information of almost 20,000 University of Tasmania students to anyone with a university email address.

The University of Tasmania said in a statement that the incident came to light on August 11 but that it had only today contacted students.

It said the misconfiguration was active - and the files broadly accessible to anyone with a utas.gov.au email address - "from February 27 to August 11" of this year.

“The data, which is used to inform the ways the University supports students in their studies, contained personally identifiable information of 19,900 students,” it said.

“There is no evidence this data breach was the result of malicious activity. 

“Security settings on shared files were unintentionally configured incorrectly, which made the information visible and accessible to unauthorised users.”

In an FAQ, the University said it had the files stored on a SharePoint site in Office 365.

“Files stored on this site were made visible to individuals when they logged in to the University's Office365 system,” it said.

“Some files were made visible as a result of the ‘Delve’ application within the Office365 platform. Delve displays content to users based on access privileges, and automatically displays certain files to users.

“This was the result of incorrect configuration. The system has now been correctly configured.”

In response, the University said it had disabled Delve and put IT in charge of creating new Teams sites.

"Automatic alerts have been implemented to identify changes to permission settings for certain high-risk access levels," it said.

The University said it had notified the Office of the Australian Information Commissioner (OAIC) and set up a support line at 1800 019 897 “to assist students with any questions or concerns about their personal information.”

The files are said to contain a wide range of personally identifiable information, including full name, email addresses, phone numbers, date and country of birth, student IDs, ATARs and other results, as well as unstructured data such as "commentary / notes in relation to continuing enrolment".

The data isn't consistent for every student; "not every individual will have had the same personal information accessed," the University said.

It said that "unauthorised student and staff users have been identified", though did not say how many.

Vice chancellor Professor Rufus Black apologised to the students impacted.

"Please be assured that we take the management of your personal information extremely seriously," he said.

"We are deeply committed to ensuring all of our students are supported to be successful in their studies.

"The data that was accessed is used to inform the support initiatives the University has in place and to facilitate engagement with students for this purpose."

Black said the University had undertaken "a thorough review of how this information became accessible and have taken immediate steps to ensure it is secure."