Personal details of hundreds of University of Greenwich research students have been accidentally published online by University staff, in what is a clear breach of privacy laws and internal security policy. An investigation by Cognition has found that much of the offending data is still available online for anyone to read.
The University has removed the material from their website and is conducting an internal investigation, and more seriously, so are the Information Commissioner’s Office (who have the ability to issue fines of 10 million euro).
The personal information was first discovered by one of the students who was able to find the information via a Google search. The leaked data contained names, addresses, phone numbers, dates of birth, signatures and medical details and was all publicly viewable on the website alongside committee minutes. The University has since contacted Google to request its cache of leaked data be removed.
When I heard about this breach this morning, we launched a quick reconnaissance exercise to see if the University had indeed removed the data from its website and if any could still be traced via Google. We gave ourselves a challenge of 30 minutes to see what we could find. The result wasn’t good. Not good for the University and not good for its research students. It took us 5 minutes to find what we needed and all through Google. We won’t disclose the exact search term we used but it’s fairly obvious if you’ve used Google a fair bit.
What We Found
- The sensitive data comprises of meeting minutes that have been collated with supporting material (e.g. emails, completed application forms, CV’s, etc…) and then scanned as a single batch with Optical Character Recognition (aka OCR) and then published as one single document online.
- In our brief test we found nine documents that the University had published online containing Faculty Research Degrees Committee meeting minutes – all indexed and recorded by Google.
- All nine of the documents linked to pages on the University website that have been removed (leaving a 404 Not Found Error for anyone browsing to them)
- Four of the documents had no cached version (We assume that these are the documents that the University successfully requested that Google remove). Despite no cached version existing, the Google results themselves still contain sensitive data if you add on particular search strings, e.g. date of birth.
- Five of the documents were fully cached as html and fully readable.
- Available data from the five documents: Students’ name, date of birth, address. telephone, email, employment and education history, funding source, discussion of student course progression and reasons for delays and full email conversations between tutors and students. (One included details of a family bereavement, another included discussion of student visa breaches.)
The image below shows the results of this one Google search (search string obfuscated for privacy reasons). Note the arrows (underlined in red) next to five of the results showing they have fully cached copies.
Following our findings, we have contacted the University directly to advise them to request Google remove all nine of these search results.
In the meantime the university’s secretary Louise Nadal has given the following statement:
“I am very sorry that personal information about a number of postgraduate research students has been accessible on the university website.
“This was a serious error, in breach of our own policies and procedures. The material has now been removed. This was an unprecedented data breach for the university and we took action as quickly as possible, once the issue came to light.
“We are now acting urgently to identify those affected. I will be contacting each person individually to apologise and to offer the support of the university.
“At the same time, I am also conducting an investigation into what went wrong. This will form part of a robust review, to make sure that this cannot happen again. The findings and recommendations of the review will be published.
“We are co-operating fully with the Information Commissioner and we will take all steps necessary to ensure that we have the best systems in place for the future.”