Personal information of nine schools and two universities vulnerable: Commissioner

Names, phone numbers and email addresses of over 8,505 students of nine secondary schools and two tertiary institutions in the city were shown to have been exposed in documents retrievable by Internet search engines, the privacy watchdog reported on Tuesday.

Allan Chiang Yam-wang, privacy commissioner for personal data, said he believes the lack of vigilance and security measures to protect personal data revealed in the probe was only a "tip of the iceberg" of the widespread negligence among webmasters.

The compliance checks commenced in April, following media reports of leaks by the city's schools. Nine secondary schools were confirmed to have uploaded files containing personal data onto their web sites without access restrictions, involving a total of 2,115 students.

Two of the schools had leaked 786 students' reference numbers (STRN), which were uniquely assigned to each student for life. The Commissioner compared the sensitivity of the numbers to birth certificates, as publishing the STRN would expose students to the risk of counterfeit identities.

Three schools have also leaked both the email addresses and contact numbers of students or their parents in their files. The commissioner noticed some of the misplaced files had been available for years.

All nine schools blamed their technicians for mistakenly publishing the files on their official websites. The files in question, following the finding, were all removed and requires no further action from the commissioner.

The investigators looked up the search engines to explore how far the oversight of webmasters had gone. The search keywords were said to be "simple", but the office declined to reveal what they were.

A search over a period of 20 hours retrieved 39 files containing sensitive information, including class allocation results of 6,256 students attending the Lingnan Institute of Further Education. The record revealed part of the students' identification card numbers and their names.

The institute also came under scrutiny last week when an inquiry panel criticized the management for problems in student enrollment, governance, quality assurance and other aspects of the operations.

A similar class list of 134 students was also leaked by the School of Continuing and Professional Education run by the Hong Kong Institute of Education. Both institutes issued statements on Tuesday to apologize to the students concerned and assure all the leaked records had been removed.

Allan Chiang said the neglect of two tertiary institutions was particularly disappointing, as tertiary institutions are usually better informed about online security. "But the results showed they have performed badly," said Chiang.

The search also retrieved leaks by businesses though they were less severe than those of the schools.

Meanwhile, the commissioner also urged the city's councillors to stop using contact information of residents seeking assistance for electioneering purposes in its annual report.

A disabled complainant, who had left his phone number to staff of a councillor's local office for an appeal of his disability allowance, later received calls from a candidate of the 2011 District Council election. The commissioner recommended that campaign volunteers should be instructed not to use contacts of residents without the prescribed consent of those who sought help from the councillor.

kahon@chinadailyhk.com

(HK Edition 01/16/2013 page1)