An extreme breach of private data by the University of Delhi came to light after final year students logging into the admit card portal for their upcoming examinations discovered that the personal details of thousands of students were easily accessible without any significant protection.
With there being no possibility of distributing admit cards to students in-person as they did previously, the University of Delhi made them available online through a portal. But students logging through the portal discovered that their access to the admit cards required minimal information, which meant that sensitive private details of thousands of students, including their addresses and contact numbers, stood exposed sans any pronounced security.
To access an admit card through the portal, the only details required to be submitted are – student name, roll number and college code (gateway password). All these three requirements can be easily procured by any person wishing to obtain a particular student’s personal information. While the names of students and their corresponding roll numbers can be acquired through the common result sheets of the previous semester, the college code happens to be the same for every student enrolled in a particular college, thus making personal data instantly accessible for students belonging to one college, and to any outsider who manages to get hold of the college code. The college code itself is not seen as confidential information and is freely shared on social media groups.
While from a moral point of view, this public availability of sensitive personal information is ethically wrong at exceeding levels; from a practical point of view, it also puts students, especially female ones, at the risk of stalkers, burglars and any person with malicious intentions for that matter.
The magnitude of the data breach can be gauged by taking a look at the information that is available once a person manages to get access through the portal – name, father’s name, gender, date of birth, email account, contact number, residential address. The breach was first pointed out by a couple of students on Twitter from the varsity’s Campus Law Centre, who termed it a “privacy disaster”.
Somya Pant, a final year student of the university raised similar concerns and told HuffPost India, “This level of easy access can lead a potential stalker to find out addresses and phone numbers of any student they would like to, tamper with their subjects and other examination related details, or depending on what mechanism is to be used for the highly controversial Online Book Exam to be held, might even lead to concerns regarding the answer scripts to be uploaded”.
In an anonymous tip received via mail by DU Beat, we were told that even if a particular person didn’t have the requisite roll numbers and college codes, it was possible for those well versed with computer codes and web development to easily obtain this information within a few minutes since this data happens to be available online and is poorly protected by the university. The mail added that bank account numbers and Aadhar card details of students also stood at risk due to this data breach.
While several students took to social media to express their concerns and criticise the negligence of the university, Mr Vinay Gupta, Dean of Examinations, seemed unfazed by the situation and told Hindustan Times, “We cannot distribute the admit card in person this year, given the circumstances, and we had to switch to the online mode. We do not expect our students to search for the roll numbers of other students and pull out their personal details. Students should have a moral responsibility to not indulge in something like that, considering the prevailing situation. Some students are trying to create a fuss over nothing”.
Another point which confused students was the fact that the entire situation could have been avoided by using an individualised OTP (one-time password) system for logins instead of collective logins, which is not a very difficult set-up to put in place. “This data breach was highly irresponsible coming from a university which prides itself as being among the best in the country. And what’s infuriating is that they are so unperturbed by the entire fiasco, and have gone as far as to term it as something that is not of vital importance or concern (referring to the Dean’s statements). Even a small start-up application these days ensures that an OTP system is in place, so I don’t know why a university with thousands of staff members and students, and a huge supply of funds, can’t do the same”, opined a final year Ramjas College student, on the condition of anonymity.
Once social media was filled with posts lamenting the situation and the issue began to gain considerable attention, the university authorities blocked the issuance of admit cards presumably with an aim to fix the complications. On July 5, three days after the issue was first raised, the university added the requirement of a person’s date of birth to access an admit card. But this addition still received flak and was termed “superficial” with students pointing out that a person’s birth date is not an entirely confidential or inaccessible piece of information. Further updates shall come to light in the coming days.
Additional Image Credits: DU Website
Featured Image Credits: DU Beat Archives