14 DAY TRIAL // A vulnerability on the University of Sydney (USyd) website allowed sensitive student data to be accessed by anyone, for possibly as long as four years.
According to the Sydney Morning Herald, which learned of the flaw and notified the university about it, the data included student names, home addresses, emails, as well as the courses they attended and their cost.
The newspaper received information according to which the university was told about the vulnerability in February 2007, but failed to resolve it.
When told about the security issue yesterday, USyd vice-chancellor Michael Spence declined to discuss the possibility of an earlier report, but said that he was appalled to learn some records could be accessed so easily.
The university suspended the section of the website where the security issue was identified. Apparently it was located in a script that generates invoices for students who use the Higher Education Contribution Scheme.
The script takes student IDs as input, but these can be randomly generated and fed to the script in order to extract information.
This is similar to how a group of greyhat hackers extracted the email and ICC-ID information of iPad users from AT&T's website last year. Two have been charged with criminal offenses over the incident.
The acting New South Wales Privacy Commissioner, John McAteer, said that judging from the information he was shown so far, the university might have violated section 12(c) of the NSW Privacy and Personal Information Protection Act 1998, according to which, "a public sector agency that holds personal information must ensure that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse."
This data breach comes after last week the university's website was defaced on three separate occasions by a hacker who claimed to have access to two thirds of its network.