Friday 7 October 2022 4:14pm
The University was made aware on Wednesday afternoon of a digital security issue which was found by a student and passed on to Critic Te Ārohi, the Otago University Student Association student magazine.
Upon being advised by Critic, an immediate investigation was undertaken by the Director of Information Technology Services (ITS).
The incident involved a student being able to access a document database in our service management software. This database holds a variety of private information relating to students and some work-related information of staff. The ITS team disabled all access to the information on Wednesday evening so this incorrect access was no longer possible.
A thorough investigation into the situation, both in terms of any individuals who may have been identified and who has accessed the information, is now underway. However, to the best of our knowledge to date, this does not appear to be malicious and instead relates to a technical fault in a newly installed software system. This fault resulted in the database being made available to anyone who had a University of Otago email address.
The University has since notified the Privacy Commissioner and is acting on the advice provided. It has also activated its Incident Management Team to ensure this matter is investigated fully and all appropriate stakeholders are informed.
The University is analysing the information that may have been accessed. This will take some time as due care is needed for accuracy and completeness. Staff and students who have been affected will be contacted with information and an apology as soon as possible.
University management would like to thank the staff of Critic for bringing this to our attention, and for their responsible handling of the incident which ensured no further accessibility of the information.
Any privacy issue is a source of concern to the University, and we deeply regret that this has occurred. We are focused on investigating the issue fully and applying the learning from it to reduce the likelihood of it happening again. We will also continue to take advice from the Office of the Privacy Commissioner so that all appropriate actions are taken.
If you have any queries about this, please contact AskOtago.
Background
The situation
This issue has arisen due to a technical fault in newly installed software. It was inadvertently found by a student, who raised the alarm by contacting Critic Te Ārohi. The University is very grateful for their actions, and the response from Critic, who alerted us to allow us to fix the problem before making it publicly known.
The student was able to inadvertently gain access to a document database in our service management software. They found some files which include information about students and work-related information about staff. The University has also notified the Privacy Commissioner and activated its Incident Management Team to ensure the matter is investigated fully and all appropriate stakeholders are informed.
We remain focused on investigating the issue fully and applying the learnings from it to reduce the likelihood of it happening again.
Access to personal information
There has been a privacy breach and we are being very careful to fully analyse this so that the facts are accurate and complete. The University has records which show who accessed the document library. This includes how many documents they accessed and the details of each document. Our analysis to verify the validity of access is ongoing. To the best of our knowledge at this time, we do not believe anybody has accessed this information in a malicious manner.
Investigation
Our initial investigation indicates the information was available for about six weeks. Our Information Technology team have a dedicated group of staff addressing the issue. We have already commissioned an independent company to review our processes and resolution of the issue. The cause and extent of the issue has already been determined. A permanent fix is now being investigated, along with a review to mitigate the risk of this happening again. The fault in the newly installed software is specific to this system. However, the University is carrying out widely checks to ensure that similar flaws do not exist for other systems.