Hong Kong school Websites leak student data

Eleven schools in Hong Kong -- including two tertiary educational institutes -- exposed sensitive personal information of 8,505 students on their Websites, said the Office of the Privacy Commissioner for Personal Data Tuesday.

Those schools leaking student data online include: the School of Continuing & Professional Education of the Hong Kong Institute of Education; Lingnan Institute of Further Education; St Joseph's College; La Salle College; St Antonius Girls' College; HKFEW Wong Cho Bau School; Kwun Tong Kung LokGovernment Secondary School; Wah Ying College; St Catherine's School for Girls, Kwun Tong; St Francis Canossian School; and TWGHs Wong Fung Ling College.

According to the PCPD, it started compliance checks on 12 schools alleged to have exposed student data online according to a media report last April. The results confirmed that 9 of the 12 schools had inadvertently exposed personal information on their web sites.

The personal information exposed includes identifiable data such as name, Student Reference Number (STRN), telephone number of the student and parents, and email address. Other data leaked include students' Website log-in IDs and passwords.

The STRN number is a unique code assigned by the Education Bureau for individual students, said the PCPD, adding that in the majority of cases of Hong Kong-born students, the STRN is the same as their HK identity card or birth certificate number.

"In these cases, the STRN is not random number but definitively referable to the student's identity," said Allan Chiang, the Privacy Commissioner for Personal Data.

"In several cases, confidential information such as user name and password for login-in to the school IT systems for online facilities was also exposed."

The nine schools explained the data breaches were due to misplacement or prolonged retention of the information while the remaining 3 schools reported that the data concerned was fictitious and compiled for teaching purpose, the PCPD noted.

The PCPD said it also conducted a 20 man-hour data search on the Internet based on certain keywords and found 39 documents containing personal data from 21 educational institutions, of which three are tertiary institutions.

The PCPD followed up by conducting compliance checks against two of these tertiary institutions -- Hong Kong Institute of Education's School of Continuing and Professional Education and Lingnan Institute of Further Education. The results reveal that the data breach of Lingnan Institute of Further Education involved some 6,256 students' records.

"The student/parent data leakage revealed in the compliance actions is cause for alarm," said Chiang. "Bearing in mind that we only spent a limited amount of our time in the exercise and our search was only based on some unsophisticated means, the extent of the cyber security problem we have identified is disproportionate. It reflected a serious lack of vigilance and adequate security measure on the part of the educational institutions in safeguarding personal data."

"I am particularly disappointed at the tertiary institutions that exposed student data online," he said. "The public had high expectations of tertiary institutes to serve as role models in safeguarding online data privacy as they have more IT resources compared to secondary schools."

While the PCPD has written to inform the Education Bureau of the findings with a request for follow-up actions, it'll also invite the schools to attend PCPD's seminars on data protection and the proper use of IT.

According to the PCPD, the schools have mitigated the breach by removing the data from their websites and requested the relevant web search engine company to remove cache copies from its servers.

Join the CSO newsletter!

Error: Please check your email address.

Tags educationsecurityindustry verticals

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Computerworld Hong Kong staff

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place