The University of York may be facing serious repercussions after leaking private and personal details of the whole student body.
Nouse can exclusively reveal that a student enquiry screening function enabled on the website, and open to the general public, permitted the private details of any registered student to be freely accessible. This included all their personal details such as mobile numbers, home and term-time addresses, and date of birth.
In addition, particular concern was raised over the publication of the details of all students’ registered emergency contacts, including the disclosure of names, email addresses and mobile numbers. Most emergency contacts are close relatives or friends who do not attend the University themselves.
The search also disclosed the AS and A-Level results of all listed students.
In a statement released to Nouse, Stephen Town, University of York’s Director of Information, said: “The University has taken immediate action to rectify the problem of unauthorised access to student data, and we have informed the Information Commissioner of this breach to meet our legal obligations.”
While originally thought to have only been accessible for just over a week, it is now evident the service has been available since the beginning of January. After being alerted of the security breach this morning, the University has since disabled the system
The details of 17,094 students, including all those in undergraduate, post-graduate and part-time study could be accessed via the University website, without the need to even enter a University login . As minimal information as initials or course information was enough to find any student’s full academic and personal details through this service.
This is a clear violation of the 1998 Data Protection Act, which the University itself cites on their website.
It states that : “Personal data should not generally be disclosed to third parties without the permission of the individual concerned. In this context, ‘third parties’ includes family members, friends, local authorities, government bodies and the police, unless disclosure is exempted by the 1998 Act or by other legislation.”
If found guilty by the ICO, the University could face fines of up to £500,000 or serious legal action, as the publication of such sensitive and personal information could be seen to seriously jeopardise student welfare and safety.
Gus Hosein, spokesman for campaign group Privacy International called it “the largest breach we have heard of in the UK.”
He added: “It’s appalling. If the University cannot secure the information, it should not be collecting it.”
The University apologised for their “failure to adequately protect student data”, adding that “we take the confidentiality of personal data very seriously, and I am very sorry to discover any shortcoming in this area and fully appreciate the concern which this has caused.”
They also confirmed that a full and urgent investigation will now be conducted into the matter, with the University’s internal auditors to fully review the data security arrangements.