Gavan Reilly's Portfolio writings, ramblings, mumblings

University hands confidential student records to media

The University Observer can exclusively reveal major security flaws within the UCD Registry, which allow an individual to gain access to the detailed academic records of any UCD graduate.

UCD’s Student Desk supplied The University Observer with copies of full academic statements for two recent graduates, after this newspaper compiled two standard application forms impersonating the students whose grades were being sought.

ADMINQ_SCThe forms in question require only basic details relating to the student’s enrolment in UCD – all of which may be available on university notice boards, over Blackboard, or through social networking sites such as Facebook.

Both applications were signed with fraudulent signatures, and provided incorrect contact details and postal addresses for the students concerned. At no point during the application process did university employees contact the individuals in question to validate the requisition of the statement. In both cases, grades were despatched by post to addresses at which the students had never lived.

The graduates had consented to The University Observer seeking copies of their grade statement, but did not themselves have any input, nor offer any assistance, in the applications.

In one case, where a set of grades had been issued but lost in the postal system, The University Observer telephoned the Student Desk asking if further copies of the grades could be made available for collection later that day. The Student Desk consented to this and made copies available for a representative of this newspaper, posing as a friend of the graduate in question, to collect that afternoon.

Offers from the caller, who was acting incognito, to give further details pertaining to the application – so as to assist in validating the caller’s supposed identity – were actively declined.

The revelations mean that any individual in possession of a UCD graduate’s basic personal details may be capable of impersonating that graduate and be issued with detailed copies of their academic records.

The news follows a significant breach of UCD’s data protection rules last year, where a spreadsheet containing the mobile and home phone numbers, email addresses and student numbers of almost five hundred students in the Quinn School of Business was posted to a public area of Blackboard.

A similar issue occurred two years ago when the School of History & Archives displayed a list of names and student numbers on a public notice board alongside a list of exam results which were referenced by student number. Such practices are believed to still be widespread in many schools throughout UCD.

In a statement to this newspaper, a university spokesperson advised students that “with the advent of new online social media, there are new opportunities for individuals […] to falsely apply for copies of official academic transcripts.” The spokesperson added that UCD encouraged students “to remain extra vigilant about publishing any personal information in publicly accessible online media […] which may be added to information obtained from other sources to create an impersonation.”

UCD Students’ Union President, Gary Redmond, commented “We’re obviously concerned with the apparent ease with which The University Observer were able to gain access to students academic transcripts. UCD Students’ Union encourages all students to take appropriate measures to ensure the protection of their personal details; however, the university should review its internal policies to ensure that all procedures were followed in this instance, and if necessary introduce mechanisms to ensure that a breach of this nature does not occur in the future.”

The university’s spokesperson declined to comment on whether data protection procedures within UCD Registry were inadequate or if they would be reviewed in light of The University Observer’s findings.