A major investigation is under way at the University of Otago after its digital security system was breached, and private student and staff information was accessed.
The breach was found by a student who told the Otago University Student Association’s Critic Te Arohi magazine.
Magazine staff then informed the university’s Information Technology Services (ITS) staff about the breach last Wednesday.
A university spokeswoman said the student was able to access a document database in the university’s service management software.
"This database holds a variety of private information relating to students and some work-related information of staff.
"The ITS team disabled all access to the information on Wednesday evening so this incorrect access was no longer possible."
She said a thorough investigation into the situation, both in terms of any individuals who may have been identified and who had accessed the information, was now under way.
The university has records which show who accessed the document library, how many documents they accessed and the details of each document.
"To the best of our knowledge at this time, we do not believe anybody has accessed this information in a malicious manner.
"Investigations so far indicate the information was available for about six weeks."
She said the breach related to a "technical fault" in a newly installed software system.
"This fault resulted in the database being made available to anyone who had a University of Otago email address."
The university had contacted the Privacy Commissioner and was acting on the advice provided.
It had also activated its Incident Management Team to ensure the matter was investigated fully and all appropriate stakeholders were informed.
"The university is analysing the information that may have been accessed.
"This will take some time as due care is needed for accuracy and completeness.
"Staff and students who have been affected will be contacted with information and an apology as soon as possible.
"Any privacy issue is a source of concern to the university and we deeply regret that this has occurred."
She said ITS staff were focused on investigating the issue fully and applying the learning from it to reduce the likelihood of it happening again.
"We have already commissioned an independent company to review our processes and resolution of the issue.
"A permanent fix is now being investigated, along with a review to mitigate the risk of this happening again.
"The fault in the newly installed software is specific to this system, but the university is carrying out wider checks to ensure that similar flaws do not exist for other systems.
"We will also continue to take advice from the Office of the Privacy Commissioner so that all appropriate actions are taken."
University management thanked the staff of Critic for bringing the issue to light, and for their responsible handling of the incident which ensured no further accessibility of the information, she said.
