The University of Otago has informed the Privacy Commissioner that a digital security breach made the personal information of the majority of its students accessible to others.
Many University of Otago students, particularly potential students, had access to their personal information without protection for six weeks. Anyone with a valid university email address had access to a sizable database that contained personal information in some files due to a technical error in a new software system.
The institution was not informed of the privacy violation until a journalist from the student publication Critic Te Ārohi informed them of it. As per the reports, 23 students or so accessed material that was not intended for them.
While the danger of harm was 'extremely minimal,' some information could have been accessed during this time, and the majority of students could anticipate hearing from a privacy officer, according to a university representative.
There were also user IDs for the staff members and bank records showing the transactions made using their business cards. A few documents, according to the representative, have been downloaded, but still, an audit had been done to make sure they had been removed.
University officials have been meticulously sifting through data to identify file accessors, the content they viewed, and any individuals whose data may have been compromised as a result. Most Otago students will be sent one or more of these data theft notice emails due to the variety of files in the system. This is due to the fact that some of the files that were viewed contained data about 2023 course enrollments or course approvals.
Stephen Willis, the chief operating officer of the university told RNZ that the office of the Privacy Commissioner was informed of the breach immediately and kept informed as the institution looked into it, he said, "We have discovered who was impacted and what data was accessed thanks to our investigation. We have convinced students that our IT security team had complete visibility into every detail of who accessed files, when, and what they were used for."
Everyone who had unlawfully accessed a file had been contacted and asked to sign a non-disclosure agreement as the University could identify who had viewed which documents.
