Concerns over the University of Sydney’s data management have been raised after a database of UniKeys was found to be openly accessible to students.
Until last Friday, the University’s Services Portal provided access to a searchable list of UniKeys indexed to their owners. This includes those of undergraduates, postgraduates, recent graduates, professional and teaching staff, and management.
While not sensitive information in itself, a UniKey is a unique identifier which could expose individuals to identity theft and unauthorised access to personal data.
“It’s pretty easy to manipulate,” one student said. “If someone gets access to someone’s University account, they can do things like email spoofing or access bank account details, HECS debt, and other personal information.”
A University spokesperson said that UniKeys are not “sensitive information,” and that access was provided “because the form allows one person to log an issue on behalf of somebody else.”
Using the form, students could hypothetically make an IT request on behalf of senior management personnel such as former Vice-Chancellor Stephen Garton, whose UniKey is accessible.
Following questions from Honi, student access to the list of UniKeys was removed across the majority of forms. At time of publication, however, the database is still accessible through some forms on the portal.
This is the second time in as many months that there have been concerns about mass access to University information. A database of floor plans and staff locations was previously found to be openly accessible.