University of Tasmania

The University of Tasmania exposed personal data of 19,900 students through a SharePoint misconfiguration that gave anyone with a UTAS email address access to student records.

What Happened

A misconfiguration in the University of Tasmania's SharePoint system resulted in student records being accessible to anyone with a UTAS email address. Instead of being restricted to authorised staff, a SharePoint site containing student information was visible to all UTAS email account holders, including other students and general staff.

The exposed data included student names, email addresses, student identification numbers, and phone numbers. The breach was an internal exposure rather than a public internet leak, but still represented a significant privacy violation as students could access each other's information.

Impact on Individuals

While the data exposure was limited to the university community rather than the public internet, affected students still faced privacy violations. The exposure of student contact details and ID numbers could enable harassment, phishing targeting university students, or misuse of student identities within the university system.

Organisational Response

UTAS identified and corrected the misconfiguration promptly once discovered. The university notified all 19,900 affected students and reported the breach to the OAIC. The incident highlighted the importance of proper access controls in cloud-based collaboration platforms and the risks of misconfigured SharePoint permissions.