News
Dec 13, 2017

Tcal Risked Student Data, Says College

IT Services said the popular app had the potential to illegally access students' personal information.

Róisín PowerAssistant Editor
blank

Trinity is treating the Trinity Calendar (Tcal) app as a “data protection breach”, according to a report obtained by The University Times. Trinity’s IT Services believes that Tcal had the potential to illegally access students’ personal information.

The report, compiled by Trinity’s Data Protection Officer, Jennifer Ryan, says that IT Services first became aware of the service on October 19th. It also details that they only came across the service, which has been running since October 2016, when they picked “up on a high volume of internet traffic to an unknown web address” that was “harvesting TCD student credentials”.

Speaking to The University Times, Rory Hughes, the creator of Tcal, explained that IT Services asked him to attend a meeting with Lee Mills, the Head of Central and Distributed Support in IT Services, to discuss concerns that his my.tcd.ie account details had been breached by the app, which is unauthorised by Trinity.

ADVERTISEMENT

In the meeting, Hughes admitted that he was the creator of Tcal.

In an email statement to The University Times, the Security Manager in IT Services, Sara McAneney, said that Hughes “confirmed that the usernames and passwords were held indefinitely in a readable format on an external database service”, Amazon Web Services. “The usernames and passwords could be used for unauthorised access to the private information of the students such as, their Student email, Student record, Blackboard, library or Printing accounts”, McAnerney said.

IT Services also flagged concerns that, while Hughes put measures in place to protect students’ passwords from external attacks, he still had access to all passwords of app users.

However, the report acknowledged that no student accounts had been accessed, other than to retrieve their timetable information. Over the past five weeks, Hughes has attended multiple meetings of a serious nature with Junior Dean Tim Trimble, Ryan and IT Services. However, he said that they were somewhat complimentary of the service.

IT Services is to take the details of the 1,500 students who used the site, which Hughes has handed over to College, and will email to inform them that their passwords for Trinity accounts and the my.tcd.ie portal will expire and will need to be renewed.

The report recommended that Hughes figure out a way to deliver the Tcal service without students having to use their credentials. It was suggested that he work with the School of Computer Science to do so, but according to Hughes, he has yet to hear from IT Services about integrating the service into the existing services, such as the MyDay app.

MyDay allows users access to online College services, including Trinity’s social media, as well as class timetables, library accounts, blackboard and my.tcd.ie.

However, Hughes said that with impending assignments and exams in January that he most likely will not continue with the service, admitting that he had been using the project as a way to procrastinate from his studies.

The report was submitted to the Office of the Data Protection Commissioner as is required by the Data Protection Act, as Ryan explained in an email to The University Times. As a public body, Trinity must report such breaches.

The College, like other public bodies, is currently preparing for the new data protection legislation, which places a heavy onus on employers like Trinity to protect the data of its staff and students. Ryan and the IT Services will be working to educate staff and students on data protection and potential security risks, according to the report.

The report does not name Rory Hughes, the creator of Tcal, but referred to him as a “TCD Student”. Under “Description of Breach”, the report explains how the service works, by syncing timetables from your my.tcd.ie account into your MyZone Google Calendar. To be able to use the service, a student would log into Tcal, authorise access to their Google calendar, then provide their Trinity email and password and their login details for Strategic Information Technology Systems (SITS) portal.

On Friday, Hughes emailed all the Tcal users to apologise for having to disable the service. Tcal was used by students to integrate their College timetable with the calendar app on their phone, with its popularity increasing through word-of-mouth praise of the app.

The email sent to users also included an invitation to a Facebook event called “T-Canz”, supposed to be a send-off party for the platform. Hughes described the event as a means of giving “recognition to all the support the app received from students”.

A farewell message, featuring the song “Shut Down” by Skepta, was also posted on the official TCal Facebook page to notify users of the service’s deletion, along with the message “it’s been real”.

Sign Up to Our Weekly Newsletters

Get The University Times into your inbox twice a week.