The University of York has leaked confidential personal information on students due to website security vulnerabilities. Details including mobile phone numbers, addresses and A-Level grades of an estimated 17,000 students were exposed as a result of the breach. University administrators have reported the incident to privacy …
order of words is important
The University of York is the English one. York University is in Canada. They might be a tad upset about your headline...
I'm glad I'm not a student there any more, though - isn't 17,000 students just about all of them?
A bit much
Perhaps the university's official name is "The University of York" but I think "York University" is just fine as a term used to refer to a university in a city called York, whether it is in the UK, Canada or anywhere.
A simpler means to "learn from our mistakes"
I think they (should have) meant: "To stop this from happening, it is vital that organisations sack those responsible".
sack them all
easier said than done. it's almost impossible to sack anyone in a position of authority in academia because they've all got tenure: literally a job for life.
a sacking in the private sector for breaching data protection would be difficult too. the employer would have to prove negligence by the employee(s) and/or gross misconduct.
No such thing as tenure
There are two problems with this observation:
- the snafu would have been caused by administrative and/or IT staff rather than academics; academics aren't allowed anywhere near these kind of systems;
- the concept of tenure doesn't exist for academics at York University in any case. They're salaried employees of the University and can be fired for gross misconduct in the same way as anyone else. Tenure is largely a US concept, and a dying one at that.
By all means, point fingers at people who cause cockups like this - but check your facts before you start bandying around the tired cliches about academic life as if this was the Daily Mail comment boards.
I think they meant:
"To stop this from happening, it is vital that organisations hire our highly-paid consultants".
most admin/IT staff in major UK universities are still on academic related contracts - which gives various perks and makes us incredibly difficult to sack! And if you want it, you do pretty much have a job for life.
Did it happen?
Gross misconduct. You're fired. Simple, see?
Simple - in theory...
Certainly at the University I work at, you would need to get all members of University council to meet and agree to fire a academic / academic related member of staff - and in the history of the University, the entire council has never met.
In the few cases I know about when something bad has happened staff have been asked to resign in return for a glowing reference and bag of cash. Few leave, most stay... job for life after all.
A frustrating sector to work in! (if your good at what you do an want to provide great services for users!) Fantastic if you don't give a sh^t
Statement from the ICO:
Dont worry it was just 17,000 Students.
No Hard done. Dont do it again.
We dont have the resource or the expertise to understand that the fact you did not Pen-Test your website at all or bothered to do it at regular intervals was actually a bad thing.
So what do you think they should do?
Fine an already cash-strapped organisation, which will eat into research funding and get passed on to the students thanks to the relaxation in tuition fee caps?
The leak was preventable, and I'm not saying there shouldn't be a punishment, but I'm not convinced a big fine will be of benefit to anyone but the ICO.
Vulnerabilities make it easy for hackers?
“Vulnerabilities in websites make it all too easy for hackers to tamper with the content "
No, it's badly written applications that make it easy ...
> Maakaroun said. "To stop this from happening, it is vital that organisations take a more proactive approach to their security by continually scanning for web vulnerabilities which hackers find relatively easy to exploit.”
How about storing the student data on a separate encrypted system not accessible directly from the Internet. Oh, and requiring authentication before allowing access, and implementing a second system to provide a full audit against the first.
Do they have an IT degree?
How about getting those students to security test your website. If they can get in, you did it wrong
Since I have seen similar vulnerabilities exposed with no more than a bit of URL hacking on my university's website (a university which offers a degree in pen-testing, I might add), I'll wager this will happen again.
Course credit for getting in
Double credit for fixing the exploits. Works for the hacker competitions that are held. The winner gets the PC / Mac being targeted.
Or if they are students, a Firkin for getting in, a barrel for the fix
Please tell me that doesn't sound like macaroon.....
Isn't that what Facebook is for?