Addressing irregular access to NBT information

31 March 2019 | Royston Pillay, Registrar

Dear colleagues and students

The University of Cape Town’s (UCT) Centre for Educational Testing for Access and Placement (CETAP) was informed in late January 2019 that certain personal identifiable information (PII) of individuals who wrote their National Benchmark Tests (NBT) had been found online. The NBT system is hosted on a UCT platform.

UCT’s Computer Security Incident Response Team (CSIRT) conducted a technical assessment of all the system components. This consisted of checking the software comprising the operating system and website applications for potential weaknesses which could have contributed to the exposure of NBT applicant PII.

Subsequent to this assessment, UCT took the decision to immediately disconnect the NBT website from the internet due to data exposure and ensured that cached data was removed from the Google search engine. The UCT CSIRT has also been collaborating with external web developers and internal technical specialists who are working continually to ensure that the replacement NBT website has been installed and configured in alignment with information security best practices as prescribed by the Center for Internet Security (CIS), a globally trusted information security organisation.

At this point, UCT is confident that it has addressed the vulnerability in the configuration that appears to have been exploited to access the data. It has updated the underlying software to incorporate all current security improvements and has also had elements of the code rewritten to ensure compatibility with the aforementioned updates.

UCT instructed attorneys to advise on the associated legal considerations and also commissioned an external investigation, which has commenced and is ongoing.

UCT has been advised that it is not required to report the incident to the Regulator in terms of the Protection of Personal Information Act of 2013 as the latter is not yet fully in effect. However, in the interest of transparency and good governance, UCT is preparing a report to the Regulator and will cooperate fully with the Regulator.

UCT is unaware of any illegal activity having been conducted using the affected information. However, individuals who may be concerned that their information may have been shared online are advised to conduct the following checks:

  • check https://haveibeenpwned.com and other anti-hacking sites
  • consult with banks and telecommunications service providers regarding fake accounts that may have been set up in their name
  • consult with credit rating agencies regarding their credit rating
  • run searches on search engines and social media platforms.

For further queries, you may submit an email to data-security@uct.ac.za.

Be assured that UCT remains committed to the principle of protecting personal information and will continue to take steps to secure systems and take remedial action where required.

Sincerely

Royston Pillay
Registrar


Read previous communications:


Creative Commons License This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.

Please view the republishing articles page for more information.


TOP