Melbourne private school Marcellin College was forced to seek advice from the Privacy Commissioner last month over a “human error” that saw the personal details of over 6000 former students published online.
For several weeks over the Christmas period, the names, birth dates, addresses, phone numbers and occupations of alumni were freely accessible in the public domain in an online spreadsheet hosted by Hong Kong site Edit Grid.
Marcellin Old Collegians database administrator Chris Mirabella tells Crikey, “The information was put up on a site to allow the old boys to collaborate, the intention was to use the technology to let people communicate — it was to make our lives easier.”
Marcellin College principal Mark Merry adds, “The database was for keeping in touch with old collegians, for emailing them and as such [it was] meant to be a protected site.”
Edit Grid is a free site that enables users to upload information without additional software; it made the database accessible online for the executive members of Marcellin Old Collegians. The only problem: Edit Grid made it accessible for everyone else, too.
“You are advised to take caution when you make personal, sensitive or confidential information accessible on a spreadsheet shared with public, which may be the default sharing mode of your spreadsheets.”
Mirabella says, “There was no malicious intent, the information was not intended for profit. It was to make better communications for the school community.”
A former Marcellin College student, who did not wish to be identified, told Crikey he discovered the database through a Google alert linked to his name and was concerned about unsolicited communication and privacy issues such as identity theft.
“Not even people I work with have my home number,” says the former student.
Australian Institute of Criminology principal criminologist Russell Smith tells Crikey that personal information that can be cut and pasted easily — the Marcellin College database could be exported into Microsoft Excel — is valuable for illegal online commerce. Although it is not clear if the option was available on the Marcellin College database, Edit Grid‘s features include a “share” option, where the page being viewed can be posted on Facebook profiles and shared with delicious.
“The kind of information contained in the database could provide a starting point for identity theft — it is preliminary material that could be used to obtain identity documents,” says Smith.
“There is a large industry for false CV information and there could be risks for stalking.”
Australian Privacy Foundation vice-chair and UNSW Cyberspace Law and Policy Centre director David Vaile tells Crikey the Marcellin Old Collegians demonstrated how the easy use and accessibility of free online web tools can blind users to just how damaging they can be.
“This is a classic example of the dangers of free stuff,” says Vaile, “and it shows a failure of the user interface design — because they simply were not aware that there was no password protecting their information.”
Former students whose details were contained in the database may have had little or no real contact with the school since graduating, aside from alumni newsletters. In Vaile’s opinion, there could be significant legal issues for Marcellin College for breach of privacy and personal security.
Marcellin Old Collegians assures Crikey the database was removed from the web as soon as they became aware of the issue.
Principal Merry says the school is reviewing safeguards, will notify anyone affected and has sought legal advice as well as the advice of the Privacy Commissioner.