Leak of personal information affects exchange students from CBS

Skrevet af Bjørn HyldkrogJesper Snedker Adamsen, (versioning) - Foto: Tadamichi @ Dreamstime.com - 8. januar 2016 - 17:200 kommentarer
Personal and sensitive information on 1,100 upcoming exchange students from CBS was publicly accessible via e-campus for approximately 10 hours during Tuesday night.

To be updated: 1,100 upcoming exchange students’ passport information, civil registration numbers (CPR), grades, results of linguistic tests, and individual case processing details in relation to their exchange stay applications were publicly accessible via CBS’ e-campus for approximately 10 hours during Tuesday night.

On Wednesday, January 6th it emerged in several media outlets that confidential and sensitive information on 1,100 CBS students was “publicly accessible on the university’s website for nearly 12 hours”.

And the allegations turned out to be true although Danish newspaper Ekstra Bladet’s claim that the information was “freely accessible on the university’s website” is a bit of an exaggeration.

The factual case is that 1,100 CBS students’ complete case files concerning their exchange stays at international universities during 2016 and 2017 – including all the above-mentioned sensitive information – were publicly available via e-campus from 11pm on Tuesday, January 5th to 8.45am on Wednesday, January 6th.

To get access to the information, however, you had to go through several steps: on the front page of e-campus you had to click ‘International Office’ -> then ‘List of Exchange places’ -> then on to use the MoveOn search function, i.e., ‘See list of CBS Partner Universities and exchange places’ -> and then finally on to the site about specific universities where the information was revealed by clicking ‘Travel Reports’. That option is now temporarily terminated.

Informed fellow students via email and Facebook

The student who discovered the leak did not react by contacting CBS, but instead opted to contact friends to tell them that they could find the details of the case processing regarding their exchange stay applications via the tap ‘Travel Reports’.

And so the rumor spread via email and Facebook.

The CBS International Office acted immediately after an employee discovered the leak during the morning of January 6th. The leak was shut, the Danish Data Protection Agency was informed, and later that day the affected students were informed via mail about the incident.

- This simply cannot happen. The part of our back office platform that contains exchange stay applications is designed to be absolutely inaccessible to everyone but the employees at the International Office, says the very agitated and apologetic director of the International Office, Tom Dahl-Østergaard.

Damage control in a blizzard of media attention

However, it did happen and since the incident Tom Dahl-Østergaard has juggled an in-depth investigation to find the source and extent of the leak in the system provided by the German IT solutions provider MoveOn, as well as the handling of the many inquiries from worried students and parents, and a blizzard of media attention to top it off.

As it were, one of the affected students chose to inform Danish newspaper Ekstra Bladet about the leak and from thereon it spread to other outlets such as international newspaper MetroXpress and Danish local news channel TV2 Lorry.

“Many of us are potentially severely affected by this leak. Naturally, we fear that our personal data will be used by cyber criminals for activities that we do not in any way wish to take part in”, the disgruntled and anonymous student is quoted saying in Ekstra Bladet’s article.

Tom Dahl-Østergaard’s response on January 6th was that there are no indications that the affected students’ personal information is available online, which is also supported by the fact that a Google search on the information does not provide any alarming results.

CBS wants guarantee that it will never happen again

The leak was not generated by CBS’ own IT systems, but the systems provided to CBS by German IT solutions provider MoveOn and more precisely the site that collects and stores relevant information on CBS’ partner universities, which includes ‘travel reports’ from former exchange students.

The portal provided by MoveOn is also the portal that CBS students, who apply for exchange stays, must upload their applications to, and it is the platform to which only employees at CBS’ International Office have access and handle the case processing on.

- It is not only very regrettable, but also a very serious situation that 1,100 students’ case files have been publicly accessible, says Tom Dahl-Østergaard and stresses that:

- If MoveOn cannot guarantee that a similar incident will never happen again, I will seriously have to consider ending our partnership – even if that forces us to start using hardcopy applications again.

The director of the International Office has asked MoveOn for a comprehensive and detailed report on the specific number of case files that were accessed and by how many during the leak in order for him to get a complete overview of the severity and extent of the incident.

CBS OBSERVER continues to monitor developments in the case and will post information on new developments as they happen.

One of the immediate consequences of the leak is that the sending out of the official letters that inform students of which university they have been accepted to will be delayed.