Reports have emerged that a Tasmanian University has been hit by a data breach impacting nearly 20,000 of its students, which the university is in the process of cleaning up.
The University of Tasmania (UTAS) has notified almost 20,000 of its students of the data breach, confirming that some of the students personal information was made freely accessible to anyone with a UTAS email address.
UTAS has issued a statement saying that on the 11th of August, the University “became aware that electronic files stored on one of the SharePoint sites on the Office365 were inadvertently able to be accessed by individuals with a University of Tasmania email address.”
The statement continued to explain that “the security settings for this SharePoint site were unintentionally configured incorrectly. This meant that individuals with a utas.edu.au email address not authorised to access documents saved in the site, were inadvertently granted access.”
UTAS added that “this was the result of incorrect configuration,” and that there was “no evidence this data breach was the result of malicious activity.” UTAS said that “security settings on shared files were unintentionally configured incorrectly, which made the information visible and accessible to unauthorised users.”
Jane Beaumont, university General Counsel has said that UTAS first became aware of the breach around a month ago after a student questioned the university’s data protection policy. Ms Beaumont has said that “we know that the cause of this particular breach was that our systems weren’t strong enough, and with hindsight we now know that we should have done more to make sure the systems protected student data better.”
Beaumont added that “we’ve treated it as a significant breach and it’s taken us this amount of time to design a scheme that requires the support mechanisms we’ve put in place to make sure we got it right.”
In an email sent to nearly 20,000 of its students, the university said that files inadvertently downloaded by students potentially containing personally identifiable information of their peers “must be permanently deleted.”
“If you have made copies or screenshots of any of the documents or any of the content that was contained in the documents, these must also be permanently deleted… if you have shared or sent the documents or any of the content from the documents, you must take steps to have it returned and/or permanently deleted,” they added.
Last week, we reported on the latest IBM Cost of a Data Breach study that would misconfigured networks can add, on average, $500,000 to the $3 million-plus cost of remediating a data breach. In addition to this, they take on average 280 days to be detected. They’re one of the most common causes of data breaches, and one that can be mitigated with a risk-based thinking approach to information security, as is found in an Information Security Management System like ISO 27001.
University of Tasmania’s vice chancellor, Profession Rufus Black has issued a statement saying the university “responded quickly to secure the information,” adding that it has since “engaged independent experts to assist.”
Mr Black continued to explain that “experts in national identity and cyber support services ISCARE have also been engaged to provide independent advice and support to students, including dedicated case managers who work with individuals to develop tailored response plans.”
Braydon Broad of the Tasmania University Union has told The ABC that “the only saving grace about this is at the moment, it doesn’t appear there’s been any systematic, malicious attempt to use the data.”
“But just because you haven’t found something doesn’t mean it isn’t there, so we’ll be working with the University in the next few months to make sure that if there are any developments, students are quickly informed.”