Personal information belonging to almost 20,000 University of Tasmania (UTAS) students was mistakenly made public for more than five months due to security settings being configured incorrectly.
Affected students were informed of the breach on Sept. 21, which made their data available to anyone with a UTAS email address from late February to Aug. 11.
UTAS says analysis of the files has revealed a “number of users” with university emails have accessed the information.
The data, which contains personally identifiable information, is used to inform how the university supports students in their studies, UTAS says.
Bank account details were not part of the data breach.
“Security settings on shared files were unintentionally configured incorrectly, which made the information visible and accessible to unauthorised users,” the university said in a statement.
The university says it became aware of the breach on Aug. 11 and has engaged independent experts to assist.
“I sincerely apologise to all students who have been affected by this incident,” University of Tasmania Vice-Chancellor Rufus Black said.
“We have undertaken a thorough review of how this information became accessible and took immediate steps to ensure it is secure.”
UTAS is in the process of contacting people who accessed the data and has “sought assurance” that the files, or screenshots or shared copies of the files, have been permanently deleted.
Information belonging to the 19,900 students was made public through Microsoft Office365 platform SharePoint, which is used to store, share and access files.
Access privileges were incorrectly configured on an Office365 application, which displays content to users based on those privileges.
“There is no evidence this data breach was a result of malicious activity,” UTAS said.
“The system has now been correctly configured.”
UTAS has set up a hotline for students with questions or concerns.