iTnews
  • Home
  • News
  • Technology
  • Cloud

Misconfigured UTAS SharePoint site exposed 20,000 students' details

By Ry Crozier on Sep 21, 2020 2:01PM
Misconfigured UTAS SharePoint site exposed 20,000 students' details

Security settings allowed broad access to files.

A misconfigured SharePoint site led to the exposure of files containing the personal information of almost 20,000 University of Tasmania students to anyone with a university email address.

The University of Tasmania said in a statement that the incident came to light on August 11 but that it had only today contacted students.

It said the misconfiguration was active - and the files broadly accessible to anyone with a utas.gov.au email address - "from February 27 to August 11" of this year.

“The data, which is used to inform the ways the University supports students in their studies, contained personally identifiable information of 19,900 students,” it said.

“There is no evidence this data breach was the result of malicious activity. 

“Security settings on shared files were unintentionally configured incorrectly, which made the information visible and accessible to unauthorised users.”

In an FAQ, the University said it had the files stored on a SharePoint site in Office 365.

“Files stored on this site were made visible to individuals when they logged in to the University's Office365 system,” it said.

“Some files were made visible as a result of the ‘Delve’ application within the Office365 platform. Delve displays content to users based on access privileges, and automatically displays certain files to users.

“This was the result of incorrect configuration. The system has now been correctly configured.”

In response, the University said it had disabled Delve and put IT in charge of creating new Teams sites.

"Automatic alerts have been implemented to identify changes to permission settings for certain high-risk access levels," it said.

The University said it had notified the Office of the Australian Information Commissioner (OAIC) and set up a support line at 1800 019 897 “to assist students with any questions or concerns about their personal information.”

The files are said to contain a wide range of personally identifiable information, including full name, email addresses, phone numbers, date and country of birth, student IDs, ATARs and other results, as well as unstructured data such as "commentary / notes in relation to continuing enrolment".

The data isn't consistent for every student; "not every individual will have had the same personal information accessed," the University said.

It said that "unauthorised student and staff users have been identified", though did not say how many.

Vice chancellor Professor Rufus Black apologised to the students impacted.

"Please be assured that we take the management of your personal information extremely seriously," he said.

"We are deeply committed to ensuring all of our students are supported to be successful in their studies.

"The data that was accessed is used to inform the support initiatives the University has in place and to facilitate engagement with students for this purpose."

Black said the University had undertaken "a thorough review of how this information became accessible and have taken immediate steps to ensure it is secure."

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
clouddata breacheducationitsecuritysharepointutas

Partner Content

Avoiding CAPEX by making on-premise IT more cloud-like
Promoted Content Avoiding CAPEX by making on-premise IT more cloud-like
Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
Promoted Content Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
Security "mindset shift" needed to protect organisations
Promoted Content Security "mindset shift" needed to protect organisations
How to turn digital complexity into competitive advantage
Promoted Content How to turn digital complexity into competitive advantage

Sponsored Whitepapers

Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership

Events

  • Micro Focus Information Management & Governance (IM&G) Forum 2022
  • CRN Channel Meets: CyberSecurity Live Event
  • IoT Insights: Secure By Design for manufacturing
  • Cyber Security for Government Summit
  • Forrester Technology & Innovation Asia Pacific 2022
By Ry Crozier
Sep 21 2020
2:01PM
0 Comments

Related Articles

  • Azure misconfiguration exposed ISOC members' info
  • NSW Education had unknown vulnerability in breached system
  • Monash University opens public bug bounty
  • Collins Foods puts IT focus on security controls, cloud services
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Qantas calls time on IBM, Fujitsu in tech modernisation

Qantas calls time on IBM, Fujitsu in tech modernisation

Researchers hacked Oracle servers to demo serious vulnerability

Researchers hacked Oracle servers to demo serious vulnerability

PayTo rollout kicks off

PayTo rollout kicks off

Australian scientists build world's first quantum computer IC

Australian scientists build world's first quantum computer IC

Digital Nation

The security threat of quantum computing
The security threat of quantum computing
Crypto experts optimistic about future of Bitcoin: Block
Crypto experts optimistic about future of Bitcoin: Block
IBM global chief data officer on the rise of the number crunchers
IBM global chief data officer on the rise of the number crunchers
Integrity, ethics and board decisions in the digital age
Integrity, ethics and board decisions in the digital age
COVER STORY: Operationalising net zero through the power of IoT
COVER STORY: Operationalising net zero through the power of IoT
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.