Intranet reveals staff information, floor plans, million service requests

The University of Sydney has left detailed floor plans of 1,335 University buildings, locations of staff and an archive of almost a million campus service requests easily accessible to any of USyd’s 60,000 students with an active UniKey.

Honi Soit has found that a Campus Assist Online portal, on the publicly accessible staff Intranet home page, provided effectively unlimited access to floor plans, service request records and some University employee information. 

Logging into the portal with a student UniKey resulted in the system categorising the student account as a staff member. Accounts had the ability to change their own status to anything from a visitor, student, or casual staff member, to an Emeritus Professor. 

The portal is a platform through which work and service requests are supposed to be submitted. In a statement to Honi, a University spokesperson said that students were given “access [to the portal] to raise Campus Assist requests 18 months ago, so we could resolve any building issues more quickly…The data is not classified as protected information and is available to staff to help them with their work.”

It is unclear whether students should therefore have only had access to the “Create a Space or Work request” tab of the portal. The spokesperson stated that the university has “now disabled student access as we review the matter and are working on putting in place a different and improved system for student requests,” suggesting that access to the other information may have been inadvertent.

Service Requests

Almost a million ‘archived’ service requests and nearly 90,000 ‘active’ service requests, dating from 1999 to 2021, were accessible through the portal. These included requests for campus security, guarding services, security patrol requests, security risk assessments, barricading services, and standard maintenance requests. The database was searchable by entry, issue type, location, status and requester. 

The nature, status, and date of submission were accessible for every lodged work request through the “Service Request ID” search prompt. Service Request IDs could then be filtered by category and sorted by date to provide the user with a more complete picture. 

Honi was able to access the sub-category and date of request for over 2,000 entries relating to security services under the ‘active’ work requests, and over 60,000 entries with information pertaining to the staff making work requests.

Floor plans

Detailed interactive floor plans for 1,335 University buildings and properties were accessible. The plans included illustrations of building facilities, classrooms, offices, rooftops, basements and service areas, as well as building coordinates and notes on maintenance access and keys required to unlock maintenance doors. The accessible data extended to every USyd campus, as well as regional and interstate properties and research facilities owned and managed by the University.

Interior floor plans ranged from corridors within the Quadrangle to ensuite bathrooms in the top floors of the F23 Administration Building, complete with architectural depictions of urinals. Square meterage was provided of rooms from open-plan offices to storage cupboards and toilets. Building sizes and usable floor areas were provided down to the square centimetre.

Staff information

Under a ‘Find a staff member’ tab, room locations of thousands of University staff members were accessible, as well as contact details for some. Selecting particular rooms and offices on digital floor plans provided the numbers and names of both academic and professional University staff assigned to them, sortable by Department or School. Occupancy information under a ‘Highlight rooms by department’ tab listed monthly non-utility room charges per Department by floor. Charges ran into the tens of thousands of dollars for some locations.

The database’s ease of accessibility to students, and subsequent removal of student access, raises questions over the University’s handling of information. The University’s use of software such as Dataminr and ProctorU has previously raised concerns about data management at the University.