Omroep Brabant reported that students and employees of Fontys University of Applied Sciences could view sensitive data, e.g. personal data and contracts, due to a data breach. As proof a student from from Tilburg University sent screenshots to Omroep Brabant.
The universit uses OneDrive, Microsoft’s digital work environment. Users can indicate whether they want to make files visible only to themselves, to specific people or to everyone within the entire organization. A few quick searches by a student yielded access to sensitive files, but more files may be visible to people who shouldn’t see them. In a response, the university said that at least one employee shared a document with the entire organization, while this was not the intention.
Visible to the entire university
The latter option was used repeatedly, allowing sensitive files to be found and opened by anyone across the college. The screenshots that Omroep Brabant received include exams, login details, internship address details and more. If a teacher had already shared this document with the entire organization for an exam, students could find it in OneDrive.
Although the documents were not visible to the outside world, this was still a data breach. The files are shared with a large group of people, but it is not the intention that everyone can read them. Particularly when it comes to sensitive data such as exams, login details or contracts, the intention is that these are only readable by people who need them immediately.
Scale of leak unknown
To protect their source, Omroep Brabant could not send the screenshots to Fontys University of Applied Sciences. With those screenshots, the university could find out who the tipster is. Omroep Brant did send the names, authors and dates of seven files or folders to Fontys.
In a response, the university says that most of these seven files come from students. ‘Student documents may be public. There are two exams on students’ OneDrive, most likely practice exams. We are still investigating that.’
The document that belongs to an employee is about the organization of an event. ‘It is not good that an employee has set the document to ‘public’. You can label this as a data breach. We will take this up with the relevant course and the relevant employee,’ the university said. Fontys is still assessing whether this should be reported as a data breach to the Dutch Data Protection Authority.
Cookie Consent with Real Cookie Banner