University of Sydney failed to protect students: Privacy Commissioner

Report slams university over website security flaws dating back to 2007

An investigation by the Acting NSW Privacy Commissioner, John McAteer, into the University of Sydney's security breach in January has found that the institution failed to meet its obligations to students under the Privacy and Personal Information Protection (PPIP) Act of 1998 due to a series of security blunders.

According to the report (PDF), a similar security flaw on the university's website was first reported in 2007.

"The university repaired the code error that allowed unauthorised access to student records on the university’s website by way of introducing a security patch but when updates to the software were made later in 2007, the patch was not re-introduced into the system due to an oversight," McAteer said in a statement.

The university has since introduced a new software control system that mitigates the risk of this happening again.

"In a further briefing provided to staff of this office, the university explained that the flaw in January 2011 was not an outcome of the failure in 2007 to re-install the security patch," McAteer said.

"Section 12 of the PPIP Act imposes a positive obligation on the University to take all reasonably available security measures to ensure a student’s personal information recorded on the University’s web-accessible records through the many transactions students complete on-line does not become available to unauthorised persons and bodies."

McAteer said that the University should have been aware that it held sensitive personal information about thousands of people, which, if it fell into the wrong hands, could lead to potential physical and financial threats to them.

"The information leaks in January 2011 resulted from what can be simply described as a programming error that allowed access to student records directly from one’s Web browser without the need to enter a password," he said.

According to the commissioner, the flaw was "avoidable" and the University did not take the available steps to avoid the risk that the leaks would eventuate.

While the report found that the university did not meet its obligations under section 12 of the PPIP Act, McAteer said that it did respond to the breach of security with "urgency and effectiveness" and that there was no need to take further action.

Got a security tip-off? Contact Hamish Barwick at hamish_barwick at

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Tags privacy

Show Comments