News //

Student disability info ‘lost’ by uni was unencrypted and unsecured

Tom Joyner reports.

Update: this article has been updated to reflect a response to a request for comment from the University of Sydney. 

The disability information of nearly 7,000 current and former students of the University of Sydney “lost” in a major privacy breach in February was unencrypted and unsecured, an internal review of incident has found.

The information was lost when a software developer employed by the University left a laptop containing a student disability database on a bus while returning home from work on February 29.

The University notified NSW Police of the breach on March 2, as well as the NSW Privacy Commissioner under the state’s privacy legislation two days later. An apology was sent to affected students on March 4. 

The six-page internal review, obtained by Honi Soit, concluded there was “no evidence” of unauthorised access, use or disclosure of the disability information on the laptop.

However, it found the incident infringed on the University’s own ICT policy, which requires that “appropriate controls” like encryptions be applied at a minimum where sensitive classified information is concerned.

Information security expert and industry watcher Troy Hunt told Honi it was “foolish” for the database to have been taken home with an employee in the first place.

“It’s a risky proposition but unfortunately it’s not at all uncommon. I’ve seen it many times in the corporate environment. There is not simply a defensive attitude in terms of protecting data.”

He said the breach was inevitably the culmination of a failure on many levels within the University.

“As an organisation the University hasn’t been encrypting drives, which really isn’t a smart idea,” he said. “Everything that has happened is preventable. If any one of those steps had been in place it wouldn’t have happened.”

A University spokesperson conceded the information stored on the laptop did not meet University policy, but measures had been put in place to prevent a repeat of the February 29 incident. These included providing guidance to staff on how to protect sensitive information on portable devices, changes to internal practices in the Information and Communications Technology unit, and standardising data encryption on all devices.

The internal review was launched after 21 students made privacy complaints to the University, including some who requested their information be removed from the database.

An external consultant has since been contracted to submit an independent report of the incident with recommendations to the University to best prevent similar incidents in the future.