Wintec shuts web site after security breach

20:47, Mar 06 2014

She wanted to apply for a parking permit - instead Wintec student Bronwyn Fleet got the details of people who already had.

The second-year student visited the application site in the student portal in January and was astounded when a list including names, contact numbers and car registration numbers appeared on the screen.

It was fixed after complaints but yesterday Ms Fleet's classmate reported the same problem.

Wintec has taken action by removing the system from its portal until it can be assured it is secure. It is investigating the issue.

The institute of technology plans to inform affected students and the office of the Privacy Commissioner.

Ms Fleet first saw the parking permit list during the week of January 20.


"I was not interested in entering my details on that website, because I didn't want them out there for the world to see," she said. "My concern was really about security . . . if I had a stalker I could be in a bit of trouble."

She went straight to Student Services and showed them on their computer, she said. It was still visible the next morning so her friend contacted Wintec, who took it down the same day, Ms Fleet said.

"We just thought all good because people make mistakes."

So she entered her details, got her permit and thought no more of it until another classmate yesterday complained of the same situation.

Ms Fleet investigated and could see the list again by clicking on a drop-down menu - as could anyone with a password for the Wintec intranet, she said.

Having strangers know her cellphone number and the type of car she drove was "not cool".

Wintec communications director Erin Andersen said an investigation into the underlying issues was under way.

The parking permit booking system had been removed from the student portal "until we are assured this will not occur again".

"We are treating this seriously, and the privacy of our students. Once we have ascertained how many students this has affected, we will notify them of the breach of privacy, its nature, what information has been disclosed, and what we can do to assist them.

"We will also be notifying the Officer of the Privacy Commissioner of this," she said.

After the first notification on January 24 Wintec investigated immediately, she said, and removed access to a view which showed other student names, student ID, phone and car registration numbers.

The system reverted to the correct view of just the applicant's details but yesterday's notification of a similar problem showed there was more to the issue, she said.

And an information security expert said privacy demands for online systems are increasing.

"Any privacy breach today is seen as unacceptable to the public . . . It doesn't actually matter what information you are holding on behalf of anyone. Any system you put online has a minimum level of privacy and security that you need to be achieving," Aura Information Security managing director Andy Prow said.

"The demand for security is increasing and a lot of people out there aren't taking that seriously and aren't bringing their systems up to a relevant level of security."

While significant effort and investment is put into banking and credit card processing systems it was not always the case for smaller sites, he said.

Increasing privacy expectations prompted his firm to create a Red Shield product - designed to defend smaller websites - for such situations.

Waikato Times