The University was made aware on Wednesday afternoon of a digital security issue which was found by a student and passed on to Critic Te Ārohi, the Otago University Student Association student magazine.
Upon being advised by Critic, an immediate investigation was undertaken by the Director of Information Technology Services (ITS).
The incident involved a student being able to access a document database in our service management software. This database holds a variety of private information relating to students and some work-related information of staff. The ITS team disabled all access to the information on Wednesday evening so this incorrect access was no longer possible.
A thorough investigation into the situation, both in terms of any individuals who may have been identified and who has accessed the information, is now underway. However, to the best of our knowledge to date, this does not appear to be malicious and instead relates to a technical fault in a newly installed software system. This fault resulted in the database being made available to anyone who had a University of Otago email address.
The University has since notified the Privacy Commissioner and is acting on the advice provided. It has also activated its Incident Management Team to ensure this matter is investigated fully and all appropriate stakeholders are informed.
The University is analysing the information that may have been accessed. This will take some time as due care is needed for accuracy and completeness. Staff and students who have been affected will be contacted with information and an apology as soon as possible.
University management would like to thank the staff of Critic for bringing this to our attention, and for their responsible handling of the incident which ensured no further accessibility of the information.
Any privacy issue is a source of concern to the University, and we deeply regret that this has occurred. We are focused on investigating the issue fully and applying the learning from it to reduce the likelihood of it happening again. We will also continue to take advice from the Office of the Privacy Commissioner so that all appropriate actions are taken.