The university information systems of numerous German universities had a significant safety chute for years. Affected were systems of His University Information System EC, which are widespread in the German academic area. Due to a faulty permission exam, it was possible to query personal data hundred thousand students by browser, including name, address, matriculation number, date of birth and enrollment status.
Not reacted fast enough
The HIS EC was according to own information on 6. Marz 2020 indicated by the administrator of an affected university on the security chat. On the same day you have a workaround communicated to your own customers and on Monday the 9. Marz A security update is available, exploited the company against C’t.
However, not all universities played the update of the HIS EC invantically. c’t – made aware of an anonymous tippers on the problem – checked at the 12. Marz a total of 58 universities and could find several ordinary systems. Data from Uber 600.000 students of the universities in Bonn, Dusseldorf, Hildesheim and Saarland were available online, which alone the knowledge of the URL satisfied. The data ranged from the winter semester 1991/92 to the current summer semester 2020. c’t informed the four universities still on the same day and meanwhile they also closed the cheeks.
Name, Birth Date, Address; Page 1 to 23.804. For the affected universities, ten or even hundreds of thousands of data sets were available.
Lucke remained unknanged for a long time
Normally, only certain college employees should query the affected information. The error did not take such a convenience of access authorization. According to the HIS eG, the LUCKE existed since 2011. How many universities and students were affected by the LUCKE, the company could not communicate to demand: they have informed all potentially affected customers, but not all customers have actually used the faulty component of the system.
The extent to which unauthorized persons during the past nine years have accessed the data, according to the HIS eG and the universities contacted by C “T, can no longer understand: log files that log corresponding accesses are always rich only one to four weeks. So all students could be any university who has used or used the system of HIS EC since 2011. These are probably millions of students and graduates.
The names, addresses and birth data can be abused under the identity theft. About the matricular numbers also love notes and assessments that affect universities – at least as soon as possible. Likewise, among other things, I love to understand when and until which semester a person has studied at a university.
Legal questions
According to DSGVO, the affected universities must inform the Privacy Habes consistent in their country immediately on the Lucke. All colleges contacted by C’t said that have been done inconstantly. On demand from C’t why almost 30-year-old data is still stored at all, several universities gave the proof of study and insurance periods.
The students concerned must probably not inform the universities, because Dafur had to ame a "significant danger" from the data leaks. Ultimately, the respective data protection perspective decides whether that is the case. Incidentally, the supervisory authorities can not impose bubbles against (state) universities – anyway, only the state has been paying itself here. Claims for damages are not prevented thereby, but in a case like this, an actual damage will hardly be prove.
The HiS eG explained opposite C’T, with every release "Extensive quality arance measures" Performed, supplemented by "Regular safety checks through external specialists". Apparently, you will have to improve these measures but to improve so that such serious mistakes will not stay undiscovered for years. And the universities will take you to take a duty to play safety-relevant patches immediately.
Many of the C’t investigative research are only possible thanks to information that readers and advertisers are directly or anonymously to us.
If you have a knowledge of a malady from which the public should know, you can send us an anonymous note or brisant material. Please use our anonymous and secure mailbox.
"