Back in July, The Founder was contacted by an anonymous hacker who claimed to have accessed the images of every single student at Royal Holloway. The hacker was able to download a database of 20,918 images of students, past and present, without requiring as much as a campus connect login. This happened last November when it was discovered that the photo of every student is associated with their student ID meaning that inputting a student number into the correct URL would yield the associated photograph.
In an email to The Founder, the hacker wrote: “It is a rather straight forward attack, which is why I believe it is such an important one to publicise. On a system protected by a login, such as the campus connect site, one expects all data behind that login to be protected, whereas these images are accessible without login in the first place. Additionally, one only needs to look at the code in order to realise that the photos are named after student IDs, so this attack was practically publicising itself.” The hacker wanted to advise college staff: “The files [should be stored] in a non-accessible directory and…the image [should be] pulled from the directory through scripts running on the server at the time the request is sent”
In a statement to The Founder on 6th October, the College reassures students that the directory is no longer accessible via the URL link: “The College acknowledges that there has been a breach of security and it appears that photographs of students have been visible outside the College. It should be noted that these photographs are anonymous (identifiable only by student id) and that no other personal data is implicated in this breach. In addition there is no evidence that this breach has been exploited in any way and we do not believe that any students have been impacted. This failure has now been fixed and the College has already instigated a full investigation in to how this error occurred. The College takes its responsibility for data protection very seriously and has a clear set of procedures and audits in place to protect student information and data. We would like to take this opportunity to apologise for any anxiety or inconvenience caused.”