Almost 20,000 students from the University of Tasmania (UTAS) have had their personal information exposed and compromised as a result of a major IT mishap. According to IT News, a misconfigured SharePoint site exposed the sensitive files of students keeping a university email address.
The SharePoint misconfiguration has been active for nearly six months, dating from February 27 to August 11 of this year, notes IT News. Files found on this Microsoft Office365 application were made visible and accessible to individuals who logged into the Office365 system of the University.
UTAS only reportedly became aware of the incident after a student notified them in August, said University General Counsel Jane Beaumont to ABC News.
Besides the misconfiguration, UTAS also points to the Delve application under the Office365 platform as part of the problem. IT News states that the Delve program allows content to be displayed and accessed depending on user privileges. It is also responsible for automatically making certain files visible to users.
While the incident initially surfaced early in August 2020, around August 11, IT News states the University of Tasmania only reached out and informed the affected students on Monday, September 21, 2020.
The misconfigured SharePoint site was unintentional and there are no signs that the data breach was the result of malicious attackers trying to gain access into the system.
In a statement, UTAS said, “the security settings for this SharePoint site were unintentionally configured incorrectly. This meant that individuals with a utas.edu.au email address not authorised to access documents saved in the site were inadvertently granted access.”
The compromised information, however, include students’ full names, email addresses, phone numbers, date and country of birth, student IDs, ATARs, and other essential information pertaining to the students’ enrollment, such as commentary or notes.
ABC News states that while student information may have been compromised, the data revealed varies from one student to another. In a statement, the educational institution said, “not every individual will have had the same personal information accessed.”
Following the data breach, the University of Tasmania has since notified students about the incident. Moreover, the institution has also informed the Office of the Australian Information Commissioner (OAIC) regarding the data breach.
Individuals or students who have concerns about the incident are urged to call the hotline set up by UTAS at 1800 019 897 to gain more insight about the breach.
As of writing, the University of Tasmania has already disabled the Delve program of its Microsoft Office365. It has also created new Teams sites and put on automatic alerts to help them determine sources of changes in permission settings.