Student Records Exposed on University of York Website

The Information Commissioner's Office reports that University of York exposed thousands of student records by leaving a test area on its website opened accidentally for over a year.

The security hole was introduced back in September 2009 during work on the university's IT system and was not identified until recently.

Students were able to view the personal information of their classmates and, according to the ICO, 148 records were accessed without authorization.

"We recognise that people can make mistakes when handling data – that’s why it is so vital that adequate checks and security measures are put in place," said ICO Director of Operations Simon Entwisle.

"This breach could have been avoided if the University had properly assessed the risks that this work posed to the security of their students’ details. They also failed to test the security of their IT system once the work was complete, leading to an unnecessary delay in the error being corrected," he added.

Entwisle adds that because the information exposed wasn't likely to cause the students substantial damage or distress, a monetary penalty isn't warranted in this case.

ICO can issue penalties of up to £500,000 for violations of the Data Protection Act. In this case, the university agreed to improve its data security practices. University of York Vice Chancellor, Professor Brian Cantor, signed an undertaking in this respect.

It involves checking the security of any IT system following maintenance work, securing remote access to the university's systems and performing vulnerability and penetration testing on an annual basis.

"The data controller shall implement such other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage," the undertaking reads.