Education services provider confirms data breach

Data from a student management system was exposed by an open S3 bucket, an Australian training company has confirmed.

According to MEGT there is an ongoing investigation into the breach, reported by Computerworld last week.

The breach affected international students enrolled with Ability English and MEGT Institute. The data itself was being managed by student information system provider Tribal Campus.

MEGT said that there is no indication from Tribal that data relating to its apprenticeship or group training operations had been affected.

In addition to working with Tribal Campus to investigate the breach, MEGT said it has commissioned an internal cyber security review.

The MEGT data is believed to have included student contact information details, identification details, educational data, transaction data, health data and passport and visa details, according to the company.

The open S3 bucket was closed off after UK privacy advocate Gareth Llewellyn contacted the Australian Signals Directorate.

Llewellyn has previously revealed a number of Australian data breaches involving S3, including thousands of resumes and cover letters being exposed by a psychometric assessment service. He also attempted to alert property valuation firm LandMark White that a range of its client data was exposed.

“While the data which has been breached was being managed by a third party, we are totally committed to the welfare of our students and understand that we need to do everything in our control to manage the implications for those who have been affected,” a statement issued by MEGT said.

“We will do everything we can to minimise the impact on them and have already notified the vast majority of those who have so far been identified as impacted.”

A statement issued by Tribal said: “We can confirm there was a breach involving the unauthorised disclosure of certain individuals’ data held by us in our capacity as the provider of a Student Information System to MEGT. Investigations are on-going.”

“At this early stage neither we, nor the cyber experts examining the details, can determine if any data has fallen into the wrong hands. What we do know right now is that data, which should have always been held securely, was in fact publicly accessible, and that is totally unacceptable to us,” MEGT acting CEO Bridie Gildea said.

“We take data security and student privacy very seriously and this security failure is our top priority. We apologise unreservedly to those who have been impacted by this incident, it will remain our top priority until it is fully resolved. We also undertake to keep students, staff and stakeholders abreast of any developments.”