University of Tasmania breach a tough lesson in cloud misconfiguration errors

Human error back in the spotlight after Office 365 permissions lapse.

For all the attention on nation-state attackers and malicious cybercriminals, all it took was a simple configuration mistake for the personal details of nearly 20,000 University of Tasmania students to be shared with the entire academic community.

University officials were moving quickly to contain the fallout after revealing this week that an 11 August data breach had allowed details of all currently enrolled students to be made accessible to anyone with a university email address—even if they were not authorised to access the documents.

The error was caused by an inadvertent misconfiguration on the university’s SharePoint server, which exposed the documents through the Delve feature of its Microsoft Office 365 installation. Delve surfaces documents that may be relevant for individual users but “never changes any permissions”, the product’s website says, “so you’ll only see documents that you already have access to”.

Yet after a systems administrator inadvertently granted public access to the files in question—which, university vice chancellor Rufus Black explained, are used “to inform the support initiatives the university has in place and to facilitate engagement with students for this purpose”—they were made available to every university user.

The university has established a support line to answer questions from students, has appointed case managers, and engaged identity support services firm IDCare to support students as the implications of the breach become more widely understood.

To continue reading this article register now

8 pitfalls that undermine security program success