On the 24th February, a hole in UWA’s club calendar system was exposed by computer science student Ryan Oakley. This hole had contained names, numbers and emails of roughly 1,000 students who had submitted club Event Management Plans (EMPs). By all accounts, this was an informational and technical oversight which shouldn’t have happened, particularly for an organisation as big as the UWA Student Guild. The breach received a lot of attention online, particularly on pages like Confessions at UWA. Ryan Oakley created a petition with 50 signatures to call an SGM to address the issue, which took place yesterday.
Four motions were discussed these being:
- The UWA Student Guild will conduct a security audit on www.uwastudentguild.com and will present these findings to the public at the next Guild OGM.Z
- The UWA Student Guild will establish a process to promptly deal with security vulnerabilities.
- The UWA Student Guild will establish a cyber security policy such that:
(a) The security of all Internet Services hosted by the UWA Student Guild is reviewed on a regular basis and,
(b) The UWA Student Guild ensures it is in compliance with the Privacy Act of 1988 and other relevant regulations and laws.
- The UWA Student Guild will where possible contact affected members to inform them that their personal information may be comprised when a data breach or security vulnerability is discovered.
Before before we start at the meeting let’s rewind to where it all began. We set the scene on the fated night of Saturday the 24th of February. On said day an email notification was made to the UWA guild staff regarding this information, UWA student Ryan Oakley creates a post, expressing his intention to call a special general meeting about a flaw in the Guild’s online security that could be dangerously exploited. Within that post were directions of how to access this information on the Guild calendar. As noted in today’s SGM, Oakley’s intention was only to ‘[try] to improve the Guild. I don’t directly blame anyone for this leak- is the fault of the institution as a whole.’ Oakley’s original post has since been removed.
Upon being notified of the original post on February 27th, Pelican immediately reached out for comment from the Guild as to whether this breach had been fixed. Guild President Lee responded so, ensuring Pelican that vulnerabilities had been closed. However, the SGM revealed that in fact only a portion of data had been removed with information dating from 2013 and 2014 still being accessible. Oakley’s secondary post, made later that night, which highlighted that ‘there is still a vulnerability on that page after Guild [told] me twice [that] it was fixed via email.’ What we learnt at this meeting was that prior to the public posts steps were being made not only to address this fault (with the deleting of data starting that Monday) but also to address the websites inadequacy with an intense overhaul, which was universally agreed to be out of date.
Fast forward to the 7th of March an SGM is officially announced for the 13th after Oakley received at least 50 signatures. It seemed the public posts had gained enough traction that this became no longer an operational issue but rather a matter for the student body. The week preceding the meeting was one of speculation, unclear on how serious the ‘breach’ was, who was at fault and why this had to come from confessions. What the meeting revealed was that in fact this information can be publicly accessed by anyone that needs the information.
When a club member submits an Event Management Plan, they act as the public figure of that event in the case an emergency occurs or someone wants to complain about things being a little rowdy. While this access is different to the ‘breach’ the fact that anyone who wishes to access an EMP can, goes a long way to mitigating the severity of this information getting to the public. Given this was new information to many club executives present it was noted that more can be done to make this aware to those who sign off on EMPs for their club.
Our final observation was that community action brought about this SGM, students saw a fault in the system and pushed for change. That’s bloody fantastic, an energised, engaged student body is the key to success. The Special General Meeting brought up recommendations that were necessary changes including a revision to both the Guild privacy and security policies. On the same token, Tony Goodman, Managing Director of Guild, also raised an important point that the guild staff have an open door policy, meaning that these issues can and will be dealt with if brought straight to them.
It can be easy to built a narrative where there may not be one and that potentially this could have been dealt with cleanly and efficiently without the rigmarole. Rather than being rushed to come to a conclusion in a one hour meeting this will can be substantively discussed This isn’t us denigrating the SGM quite the opposite, we want more students critiquing our representative bodies but the Special General Meeting is just one of many different avenues to push and create change. As Oakley stated in the meeting his intention ‘[try] to improve the Guild. I don’t directly blame anyone for this leak- is the fault of the institution as a whole.’
If you are interested in seeing the meeting in full, look out for the recorded meeting which should be available on the guild website in approximately 10 days.
Pelican Editorial Team