“Big Yikes”: Heaps of Uni Data Unprotected

“Big Yikes”: Heaps of Uni Data Unprotected

Invoices, transcripts and passport details accessible online

Using an alarmingly simple exploit, pretty much anyone with an Otago email could access a trove of official University data until late on Wednesday night, October 5th. This included personal contact information, transcripts, academic misconduct warnings and even Otago Uni invoices - but it doesn't look like anything was leaked. 


According to a statement from a University of Otago spokesperson, “At this early stage, and to the best of our knowledge, the incident is not malicious and some of the information was [already] publicly available.” 


Details of the exploit were revealed to Critic Te Ārohi by a student. He told us that he was “fucking around on the computers with some mates” when he discovered that he could access an astonishing number of ostensibly confidential internal University files. In the understatement of the year, the student described the discovery as “a big yikes”, and said that he mostly found contact information on other students. He told Critic Te Ārohi that he “wasn’t really personally affected” by the implications of this, but reached out because “this could really be abused in the wrong hands.” So we took the plunge, and found that a list of other students’ phone numbers was really just the tip of the iceberg. 


We won’t tell you how we accessed these files (yet), but we will certainly tell you what we found. Within a minute, we could access:


  • Information about current undergrad students, including their personal emails, phone numbers, home addresses, citizenship status, their course details, every first-year recipient of an Otago Uni scholarship and what scholarship they got.
  • Information about struggling students, including every student who asked for course advice, when, what advice they received, their degree of confidence as well as details of academic misconduct warnings and appeals.
  • Information about international students, including their visa and passport details, their transcripts from overseas, and many of their letters of reference.
  • Information about postgrad students, including unpublished Masters and PhD theses, examiners’ comments for finished theses, multiple CV’s, and - like for every other category - some information about exam results and transcripts. The theses may actually have been made public by the students, not by the wider issue here.
  • Information about staff, including staff member names, positions and user IDs, phone numbers and billing details for everyone on the Otago Uni staff mobile plan, and billing details for staff members’ purchase cards (P-cards, which they use to bill purchases to the Uni).
  • And, finally, information about the Uni itself, including internal admin spreadsheets, minutes of the University Senate and, most incredibly, piles upon piles of invoices, both outstanding and chargeable. 


We took this information to the University on Wednesday night (the 5th), right after we finished erasing all First Year Health Sci transcript data. Kidding, we didn’t touch anything. The Uni took it “extremely seriously”, according to a statement sent on Thursday, and have since shut down all access to the vulnerable database.


The Uni is “currently investigating the extent of the situation, both in terms of any individuals who may have been identified and who has accessed the information.” They said that they “will be contacting and apologising to students and staff who have been affected as soon as possible”, and that action was taken “immediately” to remedy the situation.


Finally, the statement said “We would like to thank Critic’s staff for their responsible handling of the situation to report the incident and ensure that the impact of accessibility to the information was not heightened following the disclosure.” Otago Uni thanking Critic Te Ārohi? Hell really must’ve frozen over. 


Stay tuned as we update this story - this is our last print issue for the year, but we’ll keep the kōrero going online.

This article first appeared in Issue 26, 2022.
Posted 5:03pm Thursday 6th October 2022 by Denzel Chung and Fox Meyer.