UTS staff emails and student invoices briefly exposed in an Outlook privacy mishap
By Sebastian Reategui
Hundreds of misdirected email conversations between tutors and academics with students’ personal details have been found to be visible through UTS’s email platform.
The conversations were mistakenly addressed to group email addresses like ‘Invoice’ or ‘Timetable’ instead of their actual recipients’ addresses, and contained student inquiries about assignments, personal information including mobile numbers and tax invoices, and internal correspondence between academic staff.
At least 18 of these group inboxes were identified as ‘public’, meaning that emails sent to them were then visible to all students and staff of the institution, and anyone else with access to the UTS Outlook web platform, via the Groups feature.
On Wednesday, Vertigo notified the Vice-Chancellor’s office that a student had discovered hundreds of emails were visible.
Today, the university’s chief information officer Christine Burns confirmed an investigation of the issue was underway ‘as a priority’.
One exposed message was sent on 27 April from a student to a Faculty of Law associate professor explaining their mental health issues and requesting an assignment extension.
The email, containing a detailed medical evaluation from a psychologist, had included a group address called ‘firstname.lastname@example.org’, named after the six-digit code for the course, in the Cc recipient line.
This meant the message and the medical document were immediately viewable to all users when accessing that group’s page in Outlook.
The professor’s reply to the student was also viewable, as they had maintained the group address in the Cc line.
The ‘70103’ group address has no association with the actual subject, with its earliest messages suggesting it was created by an unrelated student in March 2015 for use in their own group work.
On Wednesday evening, Vertigo observed that all groups had been changed to private and their contents were no longer viewable.
However, it is unclear how many students or staff members had viewed the messages in the time they were accessible.
Last year 44,753 students attended UTS undergraduate and postgraduate programs and 3,632 staff were employed, of whom all are given mail accounts.
A further 4,000 students study at Insearch and an unknown number of former students have access to the UTS mail platform through the Alumni program.
Burns said UTS will review the content of the messages to determine if any private information was accessible and will ‘take appropriate action’ if it is found that personal details were at risk.
“We have now written to every Group owner, to explain our actions and to remind them of the implications of having a group set to ‘Public’”, she said.
One public group titled ‘Online Documentary Tutors’ was one of a handful that had been mistakenly set to public.
It contained at least 15 messages sent in the last two months between tutors of the Communication subject of that name.
Two tutors had exchanged student essays as attachments and commented on the quality of work produced, asking others for feedback.
“Probably wouldn’t have given this one a HD”, one tutor wrote.
On Tuesday night, the head teacher for that subject, Dr Bettina Frankham, was notified by a student who had discovered the messages’ visibility.
Frankham acknowledged it within an hour and the group was then changed to ‘private’.
While group inboxes are a feature of the Outlook platform frequently used for productivity by UTS teaching staff, students are also capable of creating groups.
However, there do not appear to be any restrictions on group names which would stop names like ‘Invoice’ from misleading or impersonating others.
At least 15 viewable emails addressed to the ‘Invoice’ group contained students’ semester bills labelled with their full name, residential address and the subjects they took.
They had been re-sent by students’ from their university email to a personal Gmail or Hotmail address, but were exposed because they included, perhaps unknowingly, that public group ‘Invoice’ as a Cc recipient.
When composing a new email message, the Outlook web portal provides suggestions of recipients to add to the ‘To’ field, including public groups.
However, there are no indicators in the suggestion list that the group address may not be official or that emails sent to it would then become viewable by the UTS community.
Other public group inboxes were found labelled with the name of academic staff members, making it likely that users had mistaken the email address of the staff member, for a public group of the same name.
Tens of emails were found intended for one senior lecturer in the Faculty of Engineering, and two teaching staff at UTS Insearch, but were instead sent to ‘identical’ public group addresses that had been created with their first and last names.
The messages contained submissions of assignment documents and questions for the staff members.
Concerning the Outlook platform more broadly, Microsoft announced to its IT community last month that newly created group address inboxes in Outlook would be set to private by default, responding to growing feedback.
However, it said that it would not change the public or private status of any existing groups, leaving IT administrators responsible for privacy.
For UTS at least, the IT division has now switched all groups to private and commenced work to educate students and staff to ‘understand the public/private setting’ when working within the platform.