Hackers have published a database of 440,000 ProctorU user records, including records belonging to University of Sydney staff.
The database is part of 386 million user records published by hacker group ShinyHunters over the past week, cyber-security publication BleepingComputer reports. The data includes usernames, unencrypted passwords, legal names and full residential addresses.
Honi Soit can exclusively report that it includes user records with emails belonging to the University of Sydney, the University of New South Wales, the University of Melbourne, the University of Queensland, the University of Tasmania, James Cook University, Swinburne University of Technology, the University of Western Australia, Curtin University and the University of Adelaide.
It does not appear that any records of USyd students are included in the database.
ProctorU was engaged by the University of Sydney to oversee online exams this semester, following the transition to online learning.
The data breach follows heavy student criticism of the University’s use of the service, arguing ProctorU violates student privacy.
ProctorU involves invasive supervision of students undertaking exams, allowing proctors to remotely control students’ computers and require students to show their rooms on camera.
The company’s own privacy policy acknowledges it is possible it will transfer user data to third parties without users’ consent.
In May, the Students’ Representative Council voted to call on the University not to engage ProctorU.
“The University of Sydney Students’ Representative Council is extremely troubled by news that ProctorU has been hacked and up to 440,000 users data compromised,” SRC President Liam Donohoe told Honi.
“We consistently warned the University that this could happen. We demand the University immediately suspend the use of ProctorU, as that is the only way to guarantee that students are not exposed again in the future.”
In an initial statement provided on 5 August, a University spokesperson told Honi that, “We are aware of recent reports of a cyber security incident impacting ProctorU, and have been in contact with them to confirm the circumstances of the alleged breach and whether any University data has been impacted.”
On 6 August, a spokesperson was able to confirm that the University had met with ProctorU’s CEO and Compliance Officer, who confirmed they are investigating a breach of confidential data relating to users of their service.
“We understand the data relates to people who were registered as users of ProctorU’s services on or before 2014. We don’t believe our current students are directly impacted by this breach as we began using ProctorU’s online proctoring services in 2020, in response to the COVID19 pandemic.
“Any breach of security and privacy of this type is of course deeply concerning and we will continue to work with ProctorU to understand the circumstances of the breach and determine whether any follow-up actions are required on our part. We’ll also review our experience of online exams and proctoring this year to inform our approach to assessments in 2021.”
On 7 August, ProctorU publicly acknowledged the breach on Twitter, claiming the leaked records did not contain any financial information.
“ProctorU has disabled the server, terminated access to the environment and is investigating this incident. In addition, ProctorU has implemented additional security measures to prevent any recurrence.”
Spokespeople from James Cook University and the University of Adelaide have told Honi that the University had not engaged ProctorU, and a spokesperson from UNSW said that they had been advised their records had not been compromised, raising questions as to how these emails came to be included in the database.
Editor’s note: This article has been updated after publishing to include comment from ProctorU, the University of Sydney, James Cook University, the University of Adelaide and UNSW.