Hong Kong school Websites leak student data

Eleven schools in Hong Kong -- including two tertiary educational institutes -- exposed sensitive personal information of 8,505 students on their Websites, said the Office of the Privacy Commissioner for Personal Data Tuesday.

Those schools leaking student data online include: the School of Continuing & Professional Education of the Hong Kong Institute of Education; Lingnan Institute of Further Education; St Joseph's College; La Salle College; St Antonius Girls' College; HKFEW Wong Cho Bau School; Kwun Tong Kung LokGovernment Secondary School; Wah Ying College; St Catherine's School for Girls, Kwun Tong; St Francis Canossian School; and TWGHs Wong Fung Ling College.

According to the PCPD, it started compliance checks on 12 schools alleged to have exposed student data online according to a media report last April. The results confirmed that 9 of the 12 schools had inadvertently exposed personal information on their web sites.

The personal information exposed includes identifiable data such as name, Student Reference Number (STRN), telephone number of the student and parents, and email address. Other data leaked include students' Website log-in IDs and passwords.

The STRN number is a unique code assigned by the Education Bureau for individual students, said the PCPD, adding that in the majority of cases of Hong Kong-born students, the STRN is the same as their HK identity card or birth certificate number.

"In these cases, the STRN is not random number but definitively referable to the student's identity," said Allan Chiang, the Privacy Commissioner for Personal Data.

"In several cases, confidential information such as user name and password for login-in to the school IT systems for online facilities was also exposed."

The nine schools explained the data breaches were due to misplacement or prolonged retention of the information while the remaining 3 schools reported that the data concerned was fictitious and compiled for teaching purpose, the PCPD noted.

The PCPD said it also conducted a 20 man-hour data search on the Internet based on certain keywords and found 39 documents containing personal data from 21 educational institutions, of which three are tertiary institutions.

The PCPD followed up by conducting compliance checks against two of these tertiary institutions -- Hong Kong Institute of Education's School of Continuing and Professional Education and Lingnan Institute of Further Education. The results reveal that the data breach of Lingnan Institute of Further Education involved some 6,256 students' records.

"The student/parent data leakage revealed in the compliance actions is cause for alarm," said Chiang. "Bearing in mind that we only spent a limited amount of our time in the exercise and our search was only based on some unsophisticated means, the extent of the cyber security problem we have identified is disproportionate. It reflected a serious lack of vigilance and adequate security measure on the part of the educational institutions in safeguarding personal data."

"I am particularly disappointed at the tertiary institutions that exposed student data online," he said. "The public had high expectations of tertiary institutes to serve as role models in safeguarding online data privacy as they have more IT resources compared to secondary schools."

While the PCPD has written to inform the Education Bureau of the findings with a request for follow-up actions, it'll also invite the schools to attend PCPD's seminars on data protection and the proper use of IT.

According to the PCPD, the schools have mitigated the breach by removing the data from their websites and requested the relevant web search engine company to remove cache copies from its servers.

Tags: security, education, industry verticals

Hundreds of medical professionals targeted in multi-state tax scam

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Web Security and Control

Protect your users on the web

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.