Potential data leaks at universities   [19.03.20]

There are reports on the Internet about a potential data leak in university information systems. At the University of Hohenheim, the old campus management system "Studium Online" (QIS-SOSPOS) was a system affected by this software error by the system manufacturer. An article of March 17, 2020, which is available to us, reports that the systems of some universities were still vulnerable until recently. We would like to inform you about the specific situation at our university.

The system error immanent in the manufacturer's software was discovered on March 6, 2020 by one of the state universities. The software manufacturer was notified. The University of Hohenheim was also informed in the course of 06 March 2020. After checking the "Studium Online" (QIS-SOSPOS) system, it was immediately removed from the network, so that the possibility of possible third-party access was immediately excluded.

Insofar as a specific link was available, it was possible to see master data that is subject to retention in the affected database. Data on study and examination achievements were not affected. The check also revealed that the security gap was apparently not easily or for everyone to find. There are no indications that the affected database was accessed without authorization.

The problem did not occur with the new campus management system HISinOne, as the affected database is basically deactivated there. Nevertheless, the system was taken into account in all measures.

On Monday, March 09, 2020, the system manufacturer released security hotfixes. After local tests and checks, "Studium Online" was restarted on March 09, 2020 after the security hotfix had been installed. The university has no indication that unauthorised use of the security leak and access to the University of Hohenheim system has occurred.

The incident was reported to the Data Protection Office and the Data Protection Officer of the University of Hohenheim immediately after discovery.

Should you have any questions on this subject, please contact the Data Protection Officer of the university, Mr Bernhard Witt (bernhard.witt@uni-hohenheim.de).

Back to All news