Privacy czar calls on U of R to make more changes to online security
The University of Regina has expelled a student and strengthened its cybersecurity safeguards after the grades of 31 students were altered last year through a breach in faculty accounts.
But Saskatchewan’s Information and Privacy Commissioner — while commending the university ’s response — is recommending further changes.
Commissioner Ronald Kruzeniski issued a report last week on the issue, following news coverage of the grading irregularities last fall. According to his report, an instructor first noticed the “abnormal” activity last August. He found that the grades of six students had been changed in an online mark entry system.
The university’s own investigation revealed that a dean’s account was used to alter the grades, according to the commissioner, but that the dean did not make the changes. Further investigation showed that five accounts of instructors or deans had been “inappropriately accessed,” resulting in changes to the grades of 31 students in four engineering courses.
“The breach resulted from the utilization of weak passwords, and failure of impacted faculty members to change password from the default,” the university’s report read. Some grades were increased, while others were lowered.
A spokesperson for the university confirmed Wednesday that one student who was found to be responsible for the breach has since been expelled.
Following the revelations, the university outlined numerous changes to its systems, including new PIN authentication practices. Many employee-facing applications — those accessible to employees, including the mark entry system — were also placed behind a firewall. Staff now must use a virtual private network, a more secure way of accessing the web, when logging in from off-campus locations.
The commissioner concluded the university had taken appropriate measures to contain and investigate the breach. But he made further recommendations for including a minimum number of characters for PINs and random audits of the mark entry system to screen for abnormal activity. He also suggested mandatory privacy training for employees.