Response to data breach at university revealed

The University of Otago campus. PHOTO: ODT FILES
The University of Otago campus. PHOTO: ODT FILES
New details have revealed how University of Otago staff sought  to put a lid on a potentially serious data breach. 

Over the course of 16 days last year, the university learned of the breach, determined the cause, informed staff, students and the community, signed non-disclosure agreements with those who accessed the data, and started putting the incident behind it. 

Documents obtained by the Otago Daily Times under the Official Information Act include the meeting minutes of a swiftly assembled response group after the university was alerted to the breach by student magazine Critic Te Arohi on October 5.  

They also included internal emails between the university council, the acting registrar and the chief operating officer.  

The university said the tranche of documents was  released in the interests of transparency, although it  would typically be withheld under the exception of free and frank expression.

Private information about university staff and students was accessed during the data breach, and  a large file database was viewable to anyone with a university email address for about six weeks.

While 583 files were accessed, the university said this was not done maliciously, information had not been shared, and it considered potential harm from the breach was low.

The breach was closed on October 5 along with a raft of other measures. 

The following day, the university was treating the breach as a notifiable privacy breach, "one that is likely to cause serious harm".

At that time the cause was "yet to be 100% confirmed",  but it was already believed to be non-malicious, and staff were confident the cause was a design fault in which software reverted to the default, open-access settings when the document library exceeded 50,000 folders.

This was confirmed on October 7.

By that date, the three students associated with Critic had all signed privacy agreements. 

On October 8, the university had a "high level of confidence" the data exposure only dated back to August 18.

A report on security noted in the minutes of a meeting that same day said it had been "relatively quiet", and a surge in breach attempts was unlikely after the university announced that all access had been disabled.  

In a meeting on October 20, it was decided the response group would be stood down and residual actions would be handled as part of business as usual. 

It was also decided there would be an initiative to try to ensure the 2023 student cohort was  aware of how to secure its  information. 

University chief operating officer Stephen Willis thanked staff for managing and containing the "unfortunate and regrettable incident". 

By October 21, University of Otago vice-chancellor Prof David Murdoch was congratulating the team on "really great work" in managing the incident.

The university declined to release correspondence with the privacy commissioner, on the grounds  this would inhibit effective correspondence in future. 

It was noted in the minutes of a meeting on October 6 that the commissioner had been notified, and was "reasonably comfortable" with the steps the university was taking.

The commissioner requested that all information in university data bases was required to be there _ for example, passport scans should be disposed of once verification was complete.

Correspondence with external advisers Deloitte and with affected students was also among the information withheld.

Some of the data accessed during the breach covered student course advice, scholarships, police vetting and test results.

Staff annual leave information, salaries, and home addresses were also accessed in the breach.  

 

fiona.ellis@odt.co.nz 

 

 

Advertisement