The personal details, including phone numbers and emails, of over 1,000 students who submitted Event Management Plans (EMPs) since 2014 were made available on the UWA Student Guild website via a software error in an apparent data-breach, it has been alleged.
This security vulnerability was exposed by Ryan Oakley, a UWA student who also secured 50 signatures necessary towards triggering a Special General Meeting next Tuesday.
It is believed that these personal details were embedded into the HTML code of the page where EMPs are submitted and easily accessible via the webpage to submit EMPs.
EMPs are a mandatory online document which every Guild-affiliated club must fill prior to holding an event.
It is not clear when the details were first available, and State cannot independently verify whether the details are still up or the veracity of the allegations.
However, a Facebook post made by Confessions of UWA revealed that the page admin had been “made aware” of the method and “can confirm that you do not need to be a Computer Science major to exploit it”.
Mr Oakley said on his personal Facebook page that “there is still a vulnerability on that page after Guild telling me TWICE [sic] it was fixed via email”.
He added that “The Guild has chosen smooth operations over the security and privacy of their members”.
Under the Privacy Act 1988, the Guild has a responsibility to inform individuals who have been affected by a data-breach which is “likely to result in serious harm”.
The Guild has yet to contact any individual, and has not – according to the Confessions post – made contact with Mr Oakley to sign a privacy agreement.
Mr Oakley, along with Chris Scherini, will move four motions at next week’s SGM including a motion for the Guild to take down its website, www.uwastudentguild.com, to conduct a security audit. Removing the website will severely affect the operations of the Guild, including removing important services which would negatively affect clubs and campus culture.
Mr Scherini was Launch’s Societies Council presidential candidate at the last Guild Election.
Three other motions will deal with establishing a process to deal with security vulnerabilities, establishing a cyber security policy and contacting affected members when a data-breach is identified.
While a simple majority is required to pass a motion at the SGM, under Guild Regulation 5.2.15, motions passed will only take the form of a recommendation to Guild Council. This means that Guild Council may ignore or choose not to proceed with the recommendation.
The Special General Meeting will take place this Tuesday, 13th March at 1pm in the Moot Court. The Facebook event link is here.