Important information security notification

Dear NBT applicant

Notice of incident that may affect your personal information – NBT

I am writing to inform you of a technical glitch in our National Benchmark Test (NBT) results system that may have exposed your personal information. We have taken all necessary steps to correct the issue. We are notifying you of the incident as this is required by law.

What happened?

On 12 August 2021, UCT was notified by one of the individuals who had recently taken the NBT that there was a technical glitch on the NBT website that meant if the numbers were changed in the URL used to access NBT results, it would be possible to access another applicant’s record. Our investigation has revealed that 413 applicants were potentially affected by this vulnerability.

The personal information contained in the record is the full name of the individual, their identity or passport number, and their NBT results (where they had already taken the test/s).

Although it was possible for a short period of time, due to this technical glitch, to view and download another person’s information, there was no ability to amend any information at all, including the test results.

UCT has confirmed that the personal information contained in the NBT records was downloaded by the individual who notified UCT of the vulnerability, and who had also taken the test. The individual has confirmed that the records were not looked at, nor have they been transmitted to any third parties, and that the records downloaded have been permanently deleted. UCT does not have reason to believe that this individual has any malicious intentions in respect of the records.

What is the impact on me?

Your name, identity number or passport number and your NBT scores (where you have already taken the test/s) may have been accessed by a third party.

Please be assured that the incident did not impact any information in relation to your application to UCT or any other university or institution of higher education that you have applied to or intend to apply to.

What are we doing?

At UCT, we take our responsibility to safeguard your personal information very seriously. When the incident was discovered, we promptly engaged our experts to investigate and contain the incident.

Our first concern was to take steps to prevent any unauthorised access to the records. We have taken numerous steps and implemented all advice provided by our team of experts, which included the following:

• UCT immediately blocked access to the records of the affected individuals so that they remain inaccessible.
• The developers of the NBT website have been instructed to implement fixes in the code in order to remove the vulnerability. These fixes are being implemented and will be tested by both the developer and an external third-party IT security provider.

It is not currently possible to access the NBT records through the NBT website. UCT will maintain this position until such time as we are able to confirm that all technical issues have been resolved and the information on the website is secure.

UCT remains alert as to any further issues which may arise in respect of the website.

Having investigated the incident, UCT has taken measures to enhance its systems in order to further secure and protect your data and we will be monitoring our IT systems closely to combat any risk of similar incidents taking place in future.

How could the information about you potentially be used?

UCT does not have reason to believe that your personal information has been accessed by any third party with malicious intent. However, with any potential exposure of your personal information there is a risk that it could be misused by a criminal to attempt to obtain credit or to impersonate you.

What steps can you take?

Although only limited personal information about you may have been accessed, we would encourage you, as a precaution, to take steps to protect yourself against misuse of your information.

We would recommend that you register for a free Protective Registration listing with the Southern Africa Fraud Prevention Service (SAFPS). The SAFPS is a non-profit organisation focused on fraud prevention and leads the fight against fraud and financial crime. The SAFPS assists in preventing fraud and impersonation as a result of identity theft to protect the public from the associated financial consequences. Its Protective Registration service alerts SAFPS members, which includes banks and credit providers, that your identity has been compromised and that additional care needs to be taken to confirm that they are transacting with the legitimate identity holder. You can apply for a Protective Registration by contacting SAFPS at 011 867 2234 or online.

For more information

If you have any questions or concerns about this matter, please don't hesitate to contact us at via the following email address: data-security@uct.ac.za.