Personal information of Stellenbosch University students exposed in security breach

Personal information of Stellenbosch University (SU) students who make use of the university’s Centre for Student Counselling and Development (CSCD) was made public on SharePoint without their permission. This is according to Kauthar Jardine, a BA student at the university, who found her therapy reports online after being alerted by a friend. 

The Student Counselling and Development building located at 45 Victoria street in Stellenbosch University, offers support services to students, such as professional and confidential assistance or psychotherapy for depression. PHOTO: Iva Fulepu

The university’s response

“We have identified human error as the root cause of the incident,” said Jarell Toi, SU’s deputy information officer under the protection of personal information, in email correspondence with the Student Representative Council (SRC). 

He also said that they are in the process of obtaining digital forensics to make sure they know who exactly accessed the information without permission and identify which students were affected. 

“From what I know they said they would [release a statement] once the investigation is complete so they can have all the answers,” said Phiwokuhle Qabaka, SRC chairperson. 

The matter has been reported to the Information Regulator (South Africa) and investigations are still ongoing, according to SU spokesperson, Martin Viljoen. 

The information of approximately 100 students was freely available to anyone who had a valid SU account and this was in violation of the Protection of Personal Information Act (POPI Act), Viljoen confirmed in a statement sent to SMF News. The incident did not involve the formal electronic client system, namely Health One, that the CSCD normally uses for the safeguarding of its client files.

Viljoen also said that potentially affected students were contacted individually via email to inform them of the breach.

“As soon as we receive any instruction from the Information Regulator (South Africa) regarding the incident, we will inform you. We will send further updates as our investigation continues,” said Charl Davis, the director of the CSCD.

Davids added that they are still not sure how much of the data on the SharePoint site was exposed or compromised. 

The reports included the names of students who made use of the CSCD services as well as notes made by therapists during the sessions. This is according to a memorandum sent by SRC academic affairs council chairperson, Risuna Risimati, to Dr Choice Makhetha, senior director of the division of student affairs and Professor Deresh Ramjugernath, deputy vice-chancellor of learning and teaching. 

Screenshots from the Stellenbosch University internal SharePoint site where third parties could access sensitive personal information of students with their full names and student numbers. PHOTO: Supplied/ Kauthar Jardine

Student affected

“I was very shaken when finding out about this because my first question was how long has it even been out there and how many people have already accessed people’s reports and read them without having said anything?”, said Jardine.

“No one has been [held] accountable to my knowledge. It was just brushed off as merely a mistake,” said Jardine. 

Jardine said herself and other students affected by the data breach received communication from the university about the matter on 7 June, after having reported the matter in April. 

Editor’s note: This article was updated on 9 July to include Stellenbosch University’s statement.

, , , ,