19 Oct 2022

Private details of Otago students were exposed by digital fault

4:45 pm on 19 October 2022
Clock tower building on campus

The University of Otago says about 23 students accessed unsecured online information in its databases after finding a digital security loophole. Photo: RNZ / Nate McKinnon

A digital security breach allowed personal details about most University of Otago students to be viewable to others, the university has told the Privacy Commissioner.

A technical fault in a new software system meant a large database - containing personal information in some files - was accessible to anyone with a current university email address.

The university only became aware of the privacy breach after being alerted by a journalist from student magazine Critic Te Ārohi.

About 23 students accessed information they were not meant to see.

In an email sent to all students on Monday, university chief operating officer Stephen Willis said it would advise everyone who was affected.

"Over the next few days, students across the university will be receiving emails from our privacy officer, informing them if any of their personal information may have been accessed as a result of the recent digital security incident," an email from Willis said.

"University staff have been carefully working through information to determine who accessed files, what information was seen, and whose privacy may have been affected as a result. Due to the types of files in the system most Otago students will receive one or more of these privacy breach notification emails. That is because some of the files accessed included information on course enrolments or course approvals for 2023.

"If you have not had an email about this by the end of this week, you are not affected."

Willis told RNZ the office of the Privacy Commissioner was notified immediately of the breach and had been updated throughout the university's investigation.

"Our investigation has found who has been affected and what information was accessed. We have assured students that all aspects of who looked into files, when and what they did with them was fully visible to our IT security team.

"No-one outside of the university community has accessed the data. Anyone who accessed any information has since signed a Non-Disclosure Agreement."

Willis said the risk of any negative impacts from the privacy breach was "incredibly low ... given the format of the information, the positive engagement of those involved, people being unaware they could access this information and immediately checking they no longer had any access".

Get the RNZ app

for ad-free news and current affairs