FIVE FORMER EMPLOYEES HAD ACCIDENTAL ACCESS TO STUDENT INFORMATION

The student information of 13,000 current and former students at the faculties of Natural Sciences and Technical Sciences was available for up to five years to five former student counsellors.

This information comes from Hanne Vester Rasmussen, Deputy Head of Administration at Nat-Tech Administrative Centre. The Nat-Tech Studies Administration is responsible for the Contract Generator system, where the information is stored.

The five student counsellors left the department within the last 1-5 years, and it’s during this period that they continued to have access to the system. Some of them still work at AU. 

The Contract Generator contains information about the study programmes, thesis contracts, and titles of exam papers, as well as an optional text field where the student can provide relevant information. There is no personal data, such as Civil Registration Numbers (CPR numbers) or health information, unless students have entered it in the optional text field, Hanne Vester Rasmussen says. 

A former employee discovered the data breach on 9 October and contacted Nat-Tech to bring it to their attention.

“He said that he could still access the system even though his employment had ended. The AU Studies Administration team then shut down the system, closed access for the person concerned, and began investigating whether others had access. That’s when they noticed another four," Hanne Vester Rasmussen says.

HAS REPORTED THE MATTER TO THE DANISH DATA PROTECTION AGENCY

Employees’ access to the system must be manually revoked when they leave, but this step was overlooked in these five cases. 

The procedure requires an email to be sent to the system owner regarding the termination of a specific employee, which is done when the employee has left or is about to leave. And mistakes can happen. It could be an oversight or a typing error made by a personnel manager or the system owner. We can’t identify that," Hanne Vester Rasmussen says, noting:

It's a shame, and it's annoying. “Of course, we take this very seriously, as it should never happen, and we are working to correct it,” says the Deputy Head of Administration. 

Nat-Tech can’t imagine how the information could be misused, Hanne Vester Rasmussen says. However, the data breach has been reported to the Danish Data Protection Agency as a personal data security breach. The 13,000 students have not been contacted individually regarding the data breach, but Nat-Tech has published a notice about it on its study portal. Students are welcome to contact Nat-Tech Studies Administration if they have any questions. 

No one has accidentally accessed the system within the last 30 days, according to the log, but it is impossible to say whether one of the five former employees may have accessed the system without authorisation within the last 1-5 years, Hanne Vester Rasmussen says. 

AN ANNOYING MISTAKE, BUT PROUD OF HOW IT WAS HANDLED

Nat-Tech was already in the process of reviewing all its systems before the data breach came to light, Hanne Vester Rasmussen explains. 

"We hadn’t gotten to this system yet. Of course, we have security controls in place in our systems, but in this case, we can see there is room for improvement,” she says.

Hanne Vester Rasmussen notes that the relevant employees at Nat-Tech Studies Administration responded immediately when alerted to the data breach and subsequently resolved the issue. 

"I have great praise for the employees who handled this data breach. I’d really like to promote that we don’t cover up our mistakes, but learn from them. That I am incredibly proud of, even though we find it annoying," the Deputy Head of Administration says.

This text was machine translated and post-edited by Lisa Enevoldsen.