MAASTRICHT.The UM website Book a room, where students can reserve a room (for group work) using their login credentials, was unprotected for almost two years. A master's student at the Faculty of Health, Medicine & Life Sciences made this discovery. A mistake, according to ICTS, who took immediate action. Chances of damage are so small, according to the security officer, that students have not been warned. The master's student’s comment: “Scandalous.”
In December, FHML student Patrick Pilipiec saw that the Book a room site was not encrypted (no padlock icon in the address bar). Just like “a postcard without an envelope”, everyone who means to do harm, can watch what you are doing and intercept your password and user name. Those provide access to the e-mail environment and to the StudentPortal, and therefore also to study results and information about lecturers and fellow students. With the password and username, says Pilipiec, you can easily log in to Surfspot, where address and payment information can be found.
The master's student was “100 per cent correct,” says security officer Bart van den Heuvel. “This should not have happened. However, the ‘eavesdropping risk’ within the UM domain is so small that we didn't warn all the students about a possible data leak, and didn´t ask them to change their login details. The website only turned out to be unprotected when students typed in the Internet address themselves, which nobody does. Everyone clicks on the link.”
Pilipiec (who says that he had not entered the address manually): “I feel that you should inform all students about this, because nobody knows whether his/her login details have actually been intercepted. If that is the case, their personal sites such as Facebook or LinkedIn are no longer safe either, because people often use the same login data for multiple websites. I also feel that the UM should have reported the leak to Dutch Data Protection Authority.”
Van den Heuvel: “We only do so when there is an actual risk that those involved may suffer damages. We intend to protect all UM sites in the future, even the Internet pages where you are not required to enter a password. But this could take a few years.”