The University of Tasmania (UTAS) has leaked the personal information of nearly 20,000 students through a misconfigured Office365 Sharepoint site.

From 27 February until 11 August – when the mistake was uncovered – anybody with a UTAS email address could have accessed files which included the personal data of approximately 19,900 enrolled students.

Some files were also suggested to UTAS’ Office365 users as part of the platform’s ‘Delve’ feature.

UTAS Vice Chancellor, Professor Rufus Black, offered his sincerest apologies in an email to students on Monday.

“On behalf of the university I sincerely apologise to all students who have been affected by this incident,” Professor Black said.

“Please be assured that we take the management of your personal information extremely seriously.

“We have undertaken a thorough review of how this information became accessible and have taken immediate steps to ensure it is secure.”

UTAS reiterated that the leak was caused by error and there was “no evidence this data breach was a result of malicious activity”.

Following the leak discovery, UTAS updated its Sharepoint permissions, disabled the Delve feature, and began migrating its internal sites Sharepoint to Microsoft Teams.

UTAS will also give staff more training on how to use Office 365.

Sensitive information

The files included personally identifiable information like full names, email addresses, phone numbers, and dates of birth. But it also contained information that would be classed as 'sensitive' under Tasmanian privacy legislation, such as country of birth, or Indigenous or Torres Straight Islander status.

No banking or credit card details were exposed in the misconfiguration.

The university said it was able to identify the students and staff who accessed the leaked information and “sought assurance” that anyone who downloaded, copied, or shared the trove of personally identifiable information deleted the data.

A spokesperson for the Office of the Australian Information Commissioner said it had received 1,050 data breach notifications in the last financial year.

“Many were caused by human error or cyberattacks linked to phishing or poor password practices,” the spokesperson said.

“Organisations need to be proactive in protecting personal information and preventing these breaches, including supporting employees with better training, processes and technology. They should also be prepared and have a data breach response plan ready to go.

“We advise individuals to respond quickly when they’re notified and take the appropriate action, such as changing passwords, checking accounts and credit reports, and watching out for scams.”

Professor Black encouraged concerned students to seek help through services provided by the university.

“We have established a dedicated support line – 1800 019 897 – to assist students with any questions or concerns about their personal information,” he said.

“The support line will be open between 7am and 7pm from Monday to Friday.

“We have also engaged IDCARE – experts in national identity and cyber support services – to provide further independent advice and cyber support to students, including dedicated case managers who work with individuals to develop tailored and personalised response plans.”