News //

Thousands of students’ data at risk in University security breach

A security breach in one of Sydney University’s IT systems has potentially left thousands of students’ data in the possession of hackers. Tim Asimakis reports.

A security breach in one of Sydney University's IT systems has potentially left thousands of students' data in the possession of hackers. Tim Asimakis reports.

UPDATE: A 16-year old hacker, Abdilo, has claimed responsibility for the breach. Read more.

Thousands of students were today contacted by Duncan Ivison, Dean of the Faculty of Arts and Social Sciences, and informed that, due to an an information security breach, their personal information could now be in the hands of hackers. According to the email, the University’s Information Security Team identified that the ORSEE application (Online Recruitment System for Economic Experiments) had been accessed by an unknown party on February 2.

The personal information that ORSEE stored included the name, contact details, and gender of 5,000 students, many of who had applied to be involved in the University’s economic experiments.

The Information Security Team were first made aware of a vulnerability in the software thanks to a tip off from another University on February 6. However, it was not until February 10 that the Security Team disabled ORSEE, eight days after the unauthorised person had broken into the database.

When asked if the vulnerability was due to the University’s use of the software or due to a flaw in the software itself, the University refused to offer comment.

As is often the case for industry standard software, ORSEE is published under an Open Source License. This means that anyone can read the code. It is considered secure because it allows for anyone to find flaws and submit patches for them. It also allows for those flaws to be identified and exploited by malicious actors.

The University assured affected students that it had passed along all relevant information to the NSW police, and that it would report the incident to the NSW Privacy Commissioner, in accordance with its privacy policy.

The application has since been patched.