Ronan Costello
Editor
A data breach on the college network has resulted in a student inadvertently downloading a spreadsheet with 56,478 names of students and staff as well as private information for each entry.
The student, who will remain anonymous, said, “I was looking to find contact details for one of my TA’s, but couldn’t remember their full name and only had their email address. Thus, I typed their email address in Google and got only one result, an excel file, which was 10.7 MB titled ‘tcdfpatron1.csv’.” The student then downloaded the file, assuming that its relevance in the google search might lead to the TA’s contact details. What was found instead was private information for thousands of both current and former students and staff dating back to 2001.
“For every single name there is a student/staff ID number, their full name, their home address, their course/department code, the date that they registered, their @tcd.ie email address and some contain a number of other codes after their name, but its not readily apparent what these stand for,” said the student.
“Also, quite a few have brief descriptions of their role, such as ‘Visting Researcher’, ‘Associate Professor’, ‘Fellow’ or other such things, after their info. The addresses include visiting lecturers or staff from Shanghai, the USA, UK, Germany, Japan, Greece, Sweden and students from all over the world, but most of them being Irish obviously.”
The document was available to download on the college network for over a year. The breach was brought to the attention of students in an email sent by Librarian Robin Adams on April 29 in which he said that the file was available between August 2009 until March 2011. The error was discovered by college on March 30.
In the email Mr Adams said, “This information was not accessible through the internet and the College has no reason to believe that your privacy was compromised.”
“In line with Data Protection legislation the College has reported this incident to the Data Protection Commissioner. We regret that this incident has taken place and for any inconvenience this may have caused you. The College takes its obligation to protect your data very seriously, and we will continue to work diligently to protect your personal information.”
However, the student who contacted The University Times speculated that other students were likely to have downloaded the file.
“I would imagine that other people, most likely students, also have this file, although they (like me, for a while) may not realise that they have it. Potential uses for the data could be to access the exam results or other academic records of notable/interesting students based on their student numbers, or use the email addresses of a huge amount of Trinity students, guests and Alumni for commercial, personal or other uses – similar for example to the infamous ‘Trinity Cat’ email that occurred towards the end of last year. Perhaps someone with a better knowledge of excel, or Trinity’s admin systems could think of other uses for the data.”
Whether a student or staff member downloaded the file and then used it for any such purposes is unknown.
SU President Ryan Bartlett said, “College is entrusted with the personal information of students and, as such, they are expected to ensure that that information is well protected. The most shocking part of this is how simple it seems to have been to breach the security of the database and download all this sensitive information. This is the largest breach in a series, after the ‘Trinity Cat’ email and most recently the ‘Conan’ staff entry on the English Department’s web page. Security must be increased if students and staff are to renew confidence in Trinity’s network.”
The security of the college network has been a recurring issue in the past year and has received attention from the national media, with The Irish Times reporting on the recent posting of a ‘Conan the Barbarian’ page on the English Department’s staff directory.
A spokesperson from ISS was not available to comment at the time of going to print.
