UTAS Announces Large-Scale Data Breach; Up To 19,900 Accounts Compromised

UTAS announced today that the identifying personal information of over 19,900 students has been compromised in the largest data breach in the University’s recent history. 

The breach, which was identified in mid-August and made public today, saw thousands of students receive emails from UTAS warning them that identifying information including names, personal email and phone numbers, ATAR scores, student results, personal legal information including birth country and gender, and other private information may have been accessed while the data was public between February and August of this year.  

The university confirmed that students with a UTAS email address (@utas.edu.au) may have had access to the information. All students should check their inbox for correspondence from the university, to see if they have been affected. 

UTAS identified the breach as the result of misconfigured SharePoint security settings, inadvertently granting public access to the sensitive information. Upon discovering the breach on August 11, the University launched an investigation and concluded that “there is no evidence this data breach was a result of malicious activity,” per their release today.  

The Tasmania University Union were notified of an upcoming announcement relating to cybersecurity a week ago. The TUU were briefed this morning, shortly before the breach was made public via email.  

When contacted by Togatus, the TUU acknowledged the University’s announcement, saying it was important step forward for the University’s transparency.  

“It would have been relatively easy for the University to supress news of these breaches if it had been inclined to do so,” said Braydon Broad, State President of the TUU. 

“While this may be a low bar to clear, it is demonstrative of the University taking a genuine stride towards accountability” 

Broad told Togatus that the TUU is concerned about the exposure of student data but believes that the risk posed to most students in this incident was low, since the breach appears to be accidental and not a coordinated attack. 

UTAS reiterated their commitment to student control over their data in an email sent to all students by Vice-Chancellor Rufus Black. 

“The data that was accessed is used to inform the support initiatives the University has in place and to facilitate engagement with students for this purpose,” Black wrote. 

The University put responsibility on students currently in possession of information leaked in the breach to permanently delete it and is in the process of contacting all individuals who have accessed the data. 

The University also acknowledged that this bungle has put students at risk, including those with a history of family or domestic violence. 

UTAS has created a webpage which students can visit for more information about the incident. The University response also enlists IDCARE, a third-party identity and cyber support service, should students believe they have been affected, and set up an assistance line to deal with enquiries, available at 1800 019 897.