back to article York Uni exposes students' private info

The University of York has leaked confidential personal information on students due to website security vulnerabilities. Details including mobile phone numbers, addresses and A-Level grades of an estimated 17,000 students were exposed as a result of the breach. University administrators have reported the incident to privacy …


This topic is closed for new posts.
  1. Anonymous Coward

    order of words is important

    The University of York is the English one. York University is in Canada. They might be a tad upset about your headline...

    I'm glad I'm not a student there any more, though - isn't 17,000 students just about all of them?

    1. dotdavid

      A bit much

      Perhaps the university's official name is "The University of York" but I think "York University" is just fine as a term used to refer to a university in a city called York, whether it is in the UK, Canada or anywhere.

  2. Whitter

    A simpler means to "learn from our mistakes"

    I think they (should have) meant: "To stop this from happening, it is vital that organisations sack those responsible".

    1. Jim Morrow

      sack them all

      easier said than done. it's almost impossible to sack anyone in a position of authority in academia because they've all got tenure: literally a job for life.

      a sacking in the private sector for breaching data protection would be difficult too. the employer would have to prove negligence by the employee(s) and/or gross misconduct.

      1. Anonymous Coward

        No such thing as tenure

        There are two problems with this observation:

        - the snafu would have been caused by administrative and/or IT staff rather than academics; academics aren't allowed anywhere near these kind of systems;

        - the concept of tenure doesn't exist for academics at York University in any case. They're salaried employees of the University and can be fired for gross misconduct in the same way as anyone else. Tenure is largely a US concept, and a dying one at that.

        By all means, point fingers at people who cause cockups like this - but check your facts before you start bandying around the tired cliches about academic life as if this was the Daily Mail comment boards.

        1. Anonymous Coward

          Yes but...

          most admin/IT staff in major UK universities are still on academic related contracts - which gives various perks and makes us incredibly difficult to sack! And if you want it, you do pretty much have a job for life.

      2. Anonymous Coward

        gross misconduct?

        Did it happen?


        Gross misconduct. You're fired. Simple, see?

        1. Anonymous Coward

          Simple - in theory...

          Certainly at the University I work at, you would need to get all members of University council to meet and agree to fire a academic / academic related member of staff - and in the history of the University, the entire council has never met.

          In the few cases I know about when something bad has happened staff have been asked to resign in return for a glowing reference and bag of cash. Few leave, most stay... job for life after all.

          A frustrating sector to work in! (if your good at what you do an want to provide great services for users!) Fantastic if you don't give a sh^t

    2. Sir Cosmo Bonsor

      I think they meant:

      "To stop this from happening, it is vital that organisations hire our highly-paid consultants".

  3. Rishi

    Statement from the ICO:

    Dont worry it was just 17,000 Students.

    No Hard done. Dont do it again.

    We dont have the resource or the expertise to understand that the fact you did not Pen-Test your website at all or bothered to do it at regular intervals was actually a bad thing.

    1. Anonymous Coward
      Anonymous Coward

      So what do you think they should do?

      Fine an already cash-strapped organisation, which will eat into research funding and get passed on to the students thanks to the relaxation in tuition fee caps?

      The leak was preventable, and I'm not saying there shouldn't be a punishment, but I'm not convinced a big fine will be of benefit to anyone but the ICO.

  4. doperative
    IT Angle

    Vulnerabilities make it easy for hackers?

    “Vulnerabilities in websites make it all too easy for hackers to tamper with the content "

    No, it's badly written applications that make it easy ...

    > Maakaroun said. "To stop this from happening, it is vital that organisations take a more proactive approach to their security by continually scanning for web vulnerabilities which hackers find relatively easy to exploit.”

    How about storing the student data on a separate encrypted system not accessible directly from the Internet. Oh, and requiring authentication before allowing access, and implementing a second system to provide a full audit against the first.

  5. Anonymous Coward


    Do they have an IT degree?

    How about getting those students to security test your website. If they can get in, you did it wrong

    1. Gilbert Wham


      Since I have seen similar vulnerabilities exposed with no more than a bit of URL hacking on my university's website (a university which offers a degree in pen-testing, I might add), I'll wager this will happen again.

    2. SirTainleyBarking

      Course credit for getting in

      Double credit for fixing the exploits. Works for the hacker competitions that are held. The winner gets the PC / Mac being targeted.

      Or if they are students, a Firkin for getting in, a barrel for the fix

  6. Anonymous Coward


    Please tell me that doesn't sound like macaroon.....

  7. disgruntled yank Silver badge


    Isn't that what Facebook is for?

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020