3400 national identification numbers on-line

More than three thousand national identification numbers, names and e-mail addresses of students and staff at the Faculty of Medicine (Med) at the University of Oslo (UiO), have been public on the internet for the past two months. This has happened in spite of previous problems with information leakage, and the fact that the University Centre for Information Technology Services (USIT) promised that the situation had been solved.

– This is a disgrace. It is outrageous that this has happened again, and it is evident that there is a lack of awareness when it comes to how the university deals with personal information, says President of Medisinsk studentutvalg (the Medical Student’ Association), Stian Østland.

The information was used as part of the electronic timetable for students and staff at the Faculty of Medicine, also known as «OKSebasen».

Professor of Law at UiO, Dag Wiese Schartum, is an expert on personal information protection and lawinformatics. He clearly feels that this is a violation of the Personal Data Act. The law explicitly states that «sensitive personal data» such as national identification numbers, «may only be processed if the data subject has consented thereto».

Schartum disapproves of the situation and points out that unauthorised use of national identification numbers can be exploited to obtain sensitive information.

– If you have someone’s identification number and you know how to use it, you can get hold of practically any kind of information.

Happened before

It is not the first time that UiO has been criticised for leaking sensitive personal information. Last year, personal information of 5300 members of the university staff was made public by mistake. At the time, Rector at UiO, Geir Ellingsrud, characterised the incident as «very unfortunate» and the IT Director of USIT, Arne Laukhold, promised faithfully to make sure that it would never happen again.

Now the university is criticised by the Data Inspectorate, who thinks that the level of security is much too low.

– We take this matter very seriously, not least because the institution has made the same mistake before. When something like this happens, it is important to examine both technology and routines in order to make sure that it never happens again, says Chief Information Officer Ove Skåra of the Data Inspectorate.

Skåra adds that the Data Inspectorate will look into the matter immediately.

Promises action

Dean at the Faculty of Medicine, Finn Wisløff, has also had his name and national identification number listed on-line for the last couple of months. Now he promises action.

– We are very sorry that this has happened, and promise to take care of it. It is unacceptable that this has happened, the Dean says.

Acting IT Director at USIT, Lars Oftedal, declares that Google must take some of the blame for what has happened, since Google stores all websites in a memory, or «cache», that is accessible even after the page itself has been removed.

– The first time we discovered that this had happened, we checked the memory and found that the pages had been removed. Somehow they have come back since.

– So you will not agree that your routines are insufficient?

– Six weeks ago we did have a failure in our routines, and we went over them the way we always do in such cases.

– Does that mean that you are content with the present routines?

– We realise that they are not good enough when it comes to preventing information leakage, and will introduce new routines so that we can pay more attention to these things, he says.

– Must take responsibility

President of MSU, Østland, does not buy Oftedal’s explanation and declares that this is yet another example of how USIT refuses to take responsibility

– In the end, USIT is responsible for the information that has been made accessible. That something like this has happened is in fact against the law, and USIT must take the blame.

Since making the university aware of the information leakage, the national identification numbers were removed from the internet.