University leaks private details of entire student body

The University of York website, through which the data search was made available

The University of York website, through which the data search was made available

The University of York may be facing serious repercussions after leaking private and personal details of the whole student body.

Nouse can exclusively reveal that a student enquiry screening function enabled on the website, and open to the general public, permitted the private details of any registered student to be freely accessible. This included all their personal details such as mobile numbers, home and term-time addresses, and date of birth.

In addition, particular concern was raised over the publication of the details of all students’ registered emergency contacts, including the disclosure of names, email addresses and mobile numbers. Most emergency contacts are close relatives or friends who do not attend the University themselves.

The search also disclosed the AS and A-Level results of all listed students.

In a statement released to Nouse, Stephen Town, University of York’s Director of Information, said: “The University has taken immediate action to rectify the problem of unauthorised access to student data, and we have informed the Information Commissioner of this breach to meet our legal obligations.”

While originally thought to have only been accessible for just over a week, it is now evident the service has been available since the beginning of January. After being alerted of the security breach this morning, the University has since disabled the system

The details of 17,094 students, including all those in undergraduate, post-graduate and part-time study could be accessed via the University website, without the need to even enter a University login . As minimal information as initials or course information was enough to find any student’s full academic and personal details through this service.

This is a clear violation of the 1998 Data Protection Act, which the University itself cites on their website.

It states that : “Personal data should not generally be disclosed to third parties without the permission of the individual concerned. In this context, ‘third parties’ includes family members, friends, local authorities, government bodies and the police, unless disclosure is exempted by the 1998 Act or by other legislation.”

If found guilty by the ICO, the University could face fines of up to £500,000 or serious legal action, as the publication of such sensitive and personal information could be seen to seriously jeopardise student welfare and safety.

Gus Hosein, spokesman for campaign group Privacy International called it “the largest breach we have heard of in the UK.”

He added: “It’s appalling. If the University cannot secure the information, it should not be collecting it.”

The University apologised for their “failure to adequately protect student data”, adding that “we take the confidentiality of personal data very seriously, and I am very sorry to discover any shortcoming in this area and fully appreciate the concern which this has caused.”

They also confirmed that a full and urgent investigation will now be conducted into the matter, with the University’s internal auditors to fully review the data security arrangements.

28 comments

  1. Absolutely incredible story; amazed that it could even happen (surely at some point during integration between website and full student information there was someone who said ‘what if’ and failsafes were put in?!)

    Waiting to hear whether the full info was ripped by any organisation – if so, all information is still out there..?

    Reply

  2. This is absurd. I’m suing.

    Reply

  3. 14 Mar ’11 at 5:59 pm

    Jonathan Frost

    The details were temporarily available, but it’s no cause for mass hysteria. I highly doubt anyone mass downloaded them. That said it’s still pretty incredibly useless of them.

    Reply

  4. 14 Mar ’11 at 6:27 pm

    Unfortunate Econ Student

    All students for the entire Economics department were available to view for a much longer period through the student enquiry screen. I reported it and it disappeared fairly quickly, but this is just outrageous.

    Reply

  5. this is ridiculous! how can they be so lax! this definitely needs to be remedied, with a proper explanation, AND apology to every student.

    Reply

  6. This is really annoying and serious. The only bit which is unconvincing is “the University of York may be facing serious repercussions”. I can find you a long list of organisations who have breached the DPA and lost personal data, but I couldnt name a single one that has faced serious consequences. The whole way in which personal data is handled is seriously broken, and it needs to be fixed. For more information see things eg Mydex and follow things like Open Rights Group.

    Reply

  7. I believe the word “Ooops” may have just gained popularity.

    Reply

  8. Mistakes do happen, and I’m sure who was responsible will face repercussions for their mistake, maybe even lose their job? We’re all guilty of big mistakes at some stage in our lives. I don’t really care that my details were available, I’m sure if someone wanted them so badly they could employ other methods. It was rectified as soon as it was known. I suppose if it happens again, that’s when we need to start getting angry.

    Reply

  9. Just got a call from the university’s Data Services about this. To be honest, it doesn’t seem that bad, pretty much all that information is stuff I’d be fine with my friends knowing. I’d imagine the only people who would actually search the database are students themselves, since from what I understand the breach wasn’t long enough for search engines to spider it or anything. I’m not worried really…

    Reply

  10. This is an outrage. My personal information contains a number of sensitive details on my relatives and contacts which could cause an international crisis. Usless useless York.

    Reply

  11. 15 Mar ’11 at 9:42 pm

    Oliver Gettings

    This is very poor indeed. If I am one of the students I will definitely be taking legal action. This is worse than the university emailing a whole department lists of people who need extra time in exams a few years back…

    Reply

  12. “Most emergency contacts are close relatives or friends who do not attend the University themselves.”

    Absolutely ridiculous, so my Dad’s email address and phone number was just there for everyone to see. He happens to be quite famous – I think I’m in the same boat as Percy – and this will really annoy him.

    Reply

  13. Whilst it’s a data protection issue, this certainly hasn’t been released on purpose. It’s a slip up behind the scenes that’s easy to correct but goes unnoticed because the administrators of that website naturally have access to that level of information anyway.

    In reply to ~J, which I presume is Jason Rose, there aren’t levels of fail-safe to guard data distribution – no automated data storage paradigm allows both single user authentication AND multiple layers of security to safeguard sensitive information. The concept is a fallacy.

    So I got an email today saying less than two hundred profiles had been viewed – that’s fairly insignificant; about 1% of what was on offer. All in all I’d give that a verdict of No Harm Done.

    Reply

  14. Sorry Jon, but “highly doubt” doesn’t quite cut it, the potential for significant abuse was there and that’s all that counts – whether it WAS abused is a completely unrelated matter. The university has broken the law and they should be punished accordingly. This is an absolute farce.

    Reply

  15. 16 Mar ’11 at 11:18 am

    Marcel Proust

    i just got rung up this morning telling me i was one of the 148 people whos details were taken.
    not happy at all.

    Reply

  16. i’ve heard of a few individuals using this blip to look up course mates’ information (especially grades) and it’s become quite the talking point on some courses due to a few nasty individuals.

    Reply

  17. I am one of the unlucky few who appear to have had all of my data accessed. I only found out today after receiving a voicemail from IT services. I have also just received an email about all of my information that they managed to access. Basically everything about me…

    Expecting calls from Nigerian bankers any minute now.

    Reply

  18. 16 Mar ’11 at 3:30 pm

    How utterly irresponsible

    …was the idiot who posted the exposed link on Facebook, rather than having it taken down FIRST and then making a song and dance. The 148 records accessed were therefore most likely people checking themselves or their friends.

    Reply

  19. 16 Mar ’11 at 6:49 pm

    One seriously hacked off MA student...

    I had an email supposedly from HSBC at 6am this morning, I thought it was dodgy so didn’t use the link but because my laptop has a proxy server so that I can access York resources, whoever it was could see exactly what the computer was doing and so got my log in details. At midday they took £3076 from my bank account via a “soft furnishing” firm, then they actually rang my bank pretending to be me and authorised a loan, extended my overdraft and then chatted to them about being a student in York!!

    Luckily when the person then did a £1000 transfer into the bank at 1.30, something about it didn’t ring true so the bank stopped all the transactions pending and called me at work. I will get everything back thankfully but the hassles involved are ridiculous. My computer has been breached so I can’t use the proxy server, which means I can’t access the online resources at York thus causing problems with essay writing. I have to wait for a checklist from the bank and have to get my computer guy to change all the security etc on the computer and tick off all the boxes before I can get my online accounts up and running again. I have to go into the bank and prove who I am to get any cash and have to change all my cards, security, pin numbers before I can get any money out. It’s not really the money that’s the problem as the bank will refund everything. The problem is the inconvenience and the time and effort involved in sorting everything out just when I really don’t need it with essays and exam prep but, I’ve been lucky so I can’t complain.

    However, according to York University, I am not one of the students affected by the breach and the above is all one huge coincidence….

    Reply

  20. They’re really earning those six-figure salaries.

    Reply

  21. 17 Mar ’11 at 2:41 pm

    rex_imperator

    The ICO at its annual congference as recently as last week said it would be fining organisations that do this sort of thing. Let’s see.

    Reply

  22. Why do we put up with this crap? I blaim Bill Gates for writing such crappy software for campus machines which is unintuitive and rubbish. I want apple and only apple EVERYWHERE

    Reply

  23. As much as this sort of thing is to be discouraged, my concern that if the Uni ends up getting fined it’ll be us students who will end up suffering for it. Just to add to our troubles.

    Reply

  24. This article has a mile-wide sensationalist streak. In the Wikileaks era, the verb “leak” is clearly taken to mean an *intentional* release of information. This is a case of careless web programming. It’s not as if the university cut a deal to sell students’ details to a third party.

    It is worrying, and it may even be a scandal, but it is hardly a crime as the article seems to suggest.

    Reply

  25. 22 Mar ’11 at 1:47 pm

    Brian Blessed

    Brian Blessed would not put up with this.

    I advise making him vice chancellor.

    Reply

  26. i was one of the 148 people not impressed!!!

    Reply

  27. 13 Apr ’11 at 4:40 pm

    Once-upon a York

    Off topic – as an ex-York student, it is comforting to know that people are still funny. Gadaffi and Obama, hats off to you.

    Reply



Please note our disclaimer relating to comments submitted. Please do not post pretending to be another person. Nouse is not responsible for user-submitted content.

© 1964–2014 Nouse Dashboard | Edit | Disclaimer | Privacy Policy | Cookie Policy | Policies |