Computer Science department in ‘serious’ data security breach

Minutes of confidential meetings which named students who had failed the year were made publicly available via Google

The Department of Computer Science has launched an investigation after confidential information about students was made publicly available online.

Minutes of Board of Studies meetings which included the names of students who had been granted Leaves of Absence were easily accessible via Google. In some cases, the minutes specified that students had left due to medical reasons.

The names of students who had been given formal warnings were also made available, with several students expressing concern over this information being visible to potential employers. The minutes also included details about students who had failed the 40 per cent requirement for first year and were therefore being asked to resit or leave the course.

One Computer Science student, who wished to remain anonymous, said that they were “shocked” by the situation, adding: “I’ve heard some of my friends found some pretty confidential info about them.” The student went on to say: “It’s interesting that they’re calling it a breach when in fact it’s just their lack of security meant Google was indexing all of their confidential meeting minutes for all to see.

“It’s more accidental dissemination than breach, which implies somebody broke through some kind of security, when in fact it was non-existent. Of all departments you think they’d have the knowledge to secure a website.

“I found some pretty interesting stuff just by searching my name – the entire year’s first year results, broke down by assignment, and some meeting minutes that were discussing who didn’t meet 40 per cent in their first year and were having to resit.”

The student added: “The most interesting find was a meeting where the NSS results were being discussed (we’ve slipped [down] the ranks quite significantly). I can’t imagine the department’s going to get scored better next year either after this gaffe.”

Another student told Nouse: “It’s worrying that they’ve made such a trivial mistake with extremely sensitive data.”

Staff are now investigating the extent to which individual privacy has been compromised and have assured students that measures have been put in place to avoid a similar situation happening in the future. The information is no longer available via Google.

Kieran McHugh, Second Year Course Rep for Computer Science, said: “Any disclosure of confidential information is a serious breach of security and I will be working with other course reps to ensure students are kept informed. I have every confidence that the department will learn from this issue and it will not be repeated.”

A spokesperson from the University of York told Nouse: “We apologise to all those who may have been affected by the breach, and will be contacting all those affected personally in due course.

“Students and staff should be assured that confidentiality of personal data is of paramount importance to the University and that lessons learned from this incident will be disseminated across the institution.”

The Computer Science department moved to a brand new, purpose-built building on the Heslington East campus in 2010. The department currently has 43 academic members of staff teaching over 300 undergraduates and 200 postgraduates, with 24/7 lab facilities.

The Research Excellence Framework results ranked York as the seventh best Computer Science department in the UK in 2014.

4 comments

  1. Oh goodness, yes, the most important thing is the NSS rating, and students should definitely use their returns to express their supreme disappointment at this unfortunate accident. All hail NSS and the power it brings to us students to express only strongly negative opinions.

    Reply Report

  2. So if this anonymous student’s friends saw the confidential data, doesn’t that mean that the data is being shared by the Computer Science students who accessed it? Isn’t that something to worry about?

    Reply Report

  3. “It’s worrying they made such a trivial mistake with extremely sensitive data.” Actually, these types of systems are entirely non-trivial. Do you use Google Docs or OneDrive or Dropbox? Where are your files? How do you apply different access rights to different files when they are potentially distributed across different servers in different locations (maybe even in different countries?) What if a file is moved from one server to another? How do you guarantee that the access rights are moved at the same time? Sure, it all looks easy and transparent to the typical user but they’re bloody difficult to get right.

    Doesn’t excuse the problem, but it does explain why something that seems simple is actually pretty complicated.

    Reply Report

  4. I (an alumnus) just received this email:

    We are writing on behalf of the University of York to let you know that in April 2015, a breach of data security occurred in the Department of Computer Science. This was due to the temporary loss of password protection for the agenda and minutes of three departmental committees dating back to 2000.

    The temporary loss of password protection lasted for 27 days and resulted in information relating to up to 4,000 individuals being open to the potential for access. Although we believe that any information which related to you was of a non-sensitive nature, (typically your name might have appeared on a list of those who had progressed from one year to the next or required a resit, or had transferred course), we would nevertheless like to make you aware of this incident and to offer our unreserved apologies for this error.

    We would also like to assure you that the confidentiality of personal data is of paramount importance to the University. The University has since taken a range of measures to improve both its processes and the security of its systems, in response to recommendations from a detailed internal investigation. The University has also enhanced staff training to further embed a culture of information governance within the institution.

    We have submitted a report to the Information Commissioner and await recommendations. There may be some publicity around this incident when his report is published. I do hope that by contacting you we have helped to allay any anxiety this may cause you.

    Reply Report

Leave a comment