143 NUS students' personal data leaked online

Ronald Loh
The New Paper
Saturday, Apr 29, 2017

All National University of Singapore (NUS) students must soon undergo training on how to properly collect and process personal data for student events.

This comes after a URL link for a Google Sheets spreadsheet started by students from College of Alice and Peter Tan (CAPT), which contained personal data of 143 students, was leaked.

CAPT is a residential college in NUS.

It is believed to be the Personal Data Protection Commission's (PDPC) first enforcement case involving a local university since the Personal Data Protection Act (PDPA) came into force in July 2014.

The spreadsheet was created for the college's freshmen orientation camp last year, which was led by student leaders.

It contained the full names, mobile numbers, matriculation numbers, shirt sizes, dietary preferences, dates of birth, dormitory room numbers and e-mail addresses of the student volunteers tasked to help run the camp, said the PDPC in its grounds of decision issued on Wednesday.

Though the spreadsheet was first shared among selected students via the "Share with specific people" function on Google Sheets, it was later circulated beyond the original group some time last May, said PDPC's deputy commissioner Yeong Zee Kin.

An unknown party had changed the spreadsheet's setting to "share using a link".

As a result, any user with the URL link was able to access the spreadsheet, possibly exposing the information to those beyond the university, said the PDPC.

A student who found out about the breach complained to the PDPC about the unauthorised circulation of the URL link. NUS said that it was notified of the complaint last June.

The PDPC gave NUS 120 days to implement mandatory personal data protection training for all student leaders for all activities.

A NUS spokesman told TNP the university is developing an e-training module that all students will undergo.

In the interim, all student leaders involved in freshman orientation activities this year will be put through online basic training developed by PDPC, said the spokesman, adding that face-to-face briefing sessions will also be provided by NUS for the chairs and data protection officers of such activities.

A CAPT student, who was not among the 143 affected by the leak, told TNP that he was shocked by what had happened to his faculty mates.

The student, who requested anonymity, added: "Hopefully, these new measures by NUS will make sure this doesn't happen again."

Ms Eying Wee, head of marketing for Asia, Middle East and Africa of cybersecurity firm Check Point Software Technologies, said the incident was likely caused by negligence.

She suggested that organisations should look into a document security solution that provides an audit trail and where access permissions are granted in tiers.

She added such breaches of information are dangerous.

"It could be as simple as the details being sold to a marketing database company to identity theft. In the worst case scenario, malicious actors can hack the e-mail accounts and use them to spread malware," said Ms Wee.