Share this article on:
A report of parents “hacking” into a website hosting selective school selection results is another example of a cyber security beat-up.
Earlier this week, Sydney-based masthead The Sydney Morning Herald ran an online article under a startling headline: ‘Unauthorised access’: Parents hack selective school results website.
It’s a pretty bold line, and quite a mental image – concerned mums and dads breaching forbidden data and deploying who knows what kind of malware or code to get around the website’s security.
Only, no one hacked anything.
Even within the article itself, the word hack is never mentioned. What it does say is this: “More than 100 selective school candidates secured ‘unauthorised access’ to a department website which allowed them to view their own results, including if they had successfully gained entry to a school and if they were placed on a reserve list.”
The article went on to explain that the leaked results and details on “how to manipulate the webpage’s URL” were being shared on Xiaohongshu, a Chinese language e-commerce and social media platform. Some of the parents even spoke to the SMH about the apparent “hacking”.
The article’s author also noted that the Department of Education had “launched an urgent investigation” into the incident, before going on to selectively quote a statement from a Department spokesperson.
Here’s that statement in full, as supplied to Cyber Daily:
“Around 100 students, from 18,545 applicants, gained unauthorised access to their own draft selective test results this morning ahead of Friday’s official release of the results.
“No one was able to access data other than their own. Investigations are continuing, but the issue has now been fixed.
“All results will be published as planned on Friday.”
Some other information was also provided as background material, which the SMH ran as a direct quote, outlining the department’s response, namely that the “outcomes URL” was now blocked and would be unblocked on Friday, and that the outcomes have not even been finalised, but will be by Friday as planned.
So, if it’s not a hack – and it very much isn’t – what did happen?
To put it simply, it’s a misconfiguration of the website that allowed a few nervous mums and dads to gain access to a draft version of the information a few days early. It’s less of a data breach, where a hacker (or highly skilled parent, I guess) actively and maliciously breaks into a network to expose data, and more of a data leak, where data is inadvertently left accessible by the owner of that data.
I’m unsure of the details, but as the only data that was accessed were the results of a particular child, it’s likely because parents were able to log into the website’s application dashboard and were surprised to see early results already listed. As the SMH article notes, limited spots in selective schools have made competition for a placement particularly fierce this year, so of course, parents were going to be excited.
Each child is associated with a particular application number, so it’s entirely possible parents were using that to somehow access their kid’s results.
Regardless of the technicalities, the fact remains that the Department of Education’s website was not hacked. Nor has the department at any time said its investigation was “urgent,” and the department did not say “more than 100” student results were revealed, but rather “around 100”.
Someone made a boo-boo and has probably had a very bad day, and the department is now making sure it won’t happen again. That’s it.
I’ve said it before, and I’ll say it again because it bears repeating – reporting around cyber security needs to be far more stringent. Calling an incident like this a hack might make for a snappy headline, but it misrepresents what actually happened, causing an opportunity for real reputational harm to the organisation being misrepresented and concern among stakeholders and clients.
In this case, an NSW government department and a whole lot of parents who may now feel concerned that their kid’s data is being poorly protected.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.