Back in March, the York University student paper Nouse revealed a breach involving the university’s web site:
On a student enquiry screening function enabled on the website, and open to the general public, the private details of any registered student were made freely accessible. This included all their personal details such as mobile numbers, home and term-time addresses, and date of birth.
In addition, particular concern was raised over the publication of the details of all students’ registered emergency contacts, including the disclosure of names, email addresses and mobile numbers. Most emergency contacts are close relatives or friends who do not attend the University themselves.
The Yorkshire Post followed up, reporting:
The university has said 148 individual records were accessed via the site and those involved would be contacted.
The university could not confirm the number of details leaked but said there were currently only 16,948 students registered on its books.
Now the Information Commissioner’s Office has issued a statement that found the university in breach of the Data Protection Act and requiring it to sign an undertaking.
The undertaking sheds a bit of light on how the breach occurred:
In September 2009, the data controller undertook a software development project, in order to update a University web template. A test programme was created which was not appropriately secured. Once completed, the application in question was moved to its proper place on the data controller’s live web server, but the test version was not deleted. This test version remained available to unauthorised users and gave access to information from the live student database.
Due to a lack of management control and change management processes within IT Services, the data controller failed to identify risks posed by their actions, which subsequently resulted in the error not being detected for a considerable period.