Eleven schools in Hong Kong -- including two tertiary educational institutes -- exposed sensitive personal information of 8,505 students on their Websites, said the Office of the Privacy Commissioner for Personal Data Tuesday.
Those schools leaking student data online include: the School of Continuing & Professional Education of the Hong Kong Institute of Education; Lingnan Institute of Further Education; St Joseph's College; La Salle College; St Antonius Girls' College; HKFEW Wong Cho Bau School; Kwun Tong Kung LokGovernment Secondary School; Wah Ying College; St Catherine's School for Girls, Kwun Tong; St Francis Canossian School; and TWGHs Wong Fung Ling College.
According to the PCPD, it started compliance checks on 12 schools alleged to have exposed student data online according to a media report last April. The results confirmed that 9 of the 12 schools had inadvertently exposed personal information on their web sites.
The personal information exposed includes identifiable data such as name, Student Reference Number (STRN), telephone number of the student and parents, and email address. Other data leaked include students' Website log-in IDs and passwords.
The STRN number is a unique code assigned by the Education Bureau for individual students, said the PCPD, adding that in the majority of cases of Hong Kong-born students, the STRN is the same as their HK identity card or birth certificate number.
"In these cases, the STRN is not random number but definitively referable to the student's identity," said Allan Chiang, the Privacy Commissioner for Personal Data.
"In several cases, confidential information such as user name and password for login-in to the school IT systems for online facilities was also exposed."
The nine schools explained the data breaches were due to misplacement or prolonged retention of the information while the remaining 3 schools reported that the data concerned was fictitious and compiled for teaching purpose, the PCPD noted.
The PCPD said it also conducted a 20 man-hour data search on the Internet based on certain keywords and found 39 documents containing personal data from 21 educational institutions, of which three are tertiary institutions.
The PCPD followed up by conducting compliance checks against two of these tertiary institutions -- Hong Kong Institute of Education's School of Continuing and Professional Education and Lingnan Institute of Further Education. The results reveal that the data breach of Lingnan Institute of Further Education involved some 6,256 students' records.
"The student/parent data leakage revealed in the compliance actions is cause for alarm," said Chiang. "Bearing in mind that we only spent a limited amount of our time in the exercise and our search was only based on some unsophisticated means, the extent of the cyber security problem we have identified is disproportionate. It reflected a serious lack of vigilance and adequate security measure on the part of the educational institutions in safeguarding personal data."
"I am particularly disappointed at the tertiary institutions that exposed student data online," he said. "The public had high expectations of tertiary institutes to serve as role models in safeguarding online data privacy as they have more IT resources compared to secondary schools."
While the PCPD has written to inform the Education Bureau of the findings with a request for follow-up actions, it'll also invite the schools to attend PCPD's seminars on data protection and the proper use of IT.
According to the PCPD, the schools have mitigated the breach by removing the data from their websites and requested the relevant web search engine company to remove cache copies from its servers.