A few presses of a button. More than that is not required for someone with computer knowledge to access students’ personal information from Studentkortet’s website, which has circa 500 000 active members. This was discovered by a student from Lund by accident.
Text Oskar Madunic Olsson
Translation Viktor Jönsson
My name. My address. My social security number. My phone number and e-mail. My student union and nation affiliation.
The student, Paul, receives these pieces of information on his laptop screen in just a few seconds after I have read my student card number aloud. By a simple adjustment in the web address, he can access the same information from random students at high schools, universities, vocational college and folk colleges.
“I believe that with a script you could access Studentkortet’s entire personal information registry”, he says.
Studentkortet, a company which mostly deals with student discounts has, according to itself, around 500,000 active members and gets the personal information from CSN. The company’s student ids are used in Lund to strengthen one’s membership in Studentlund.
The security deficiencies at Studentkortet’s website were discovered accidently by Paul when he was searching for student discounts with a web developing programme open.
“I reacted on the fact that there wasn’t any encryption and started taking a closer look. What I found surprised me. It should not be this simple to access personal information. The risk that they have been leaked out on the internet, or will be, is big”, he says.
Paul’s fears were confirmed by Per Andersson, programme director of Computer Science and Engineering (M.Sc.Eng.) at the Faculty of Engineering (LTH).
“[It is] clear that Studentkortet’s website doesn’t have any security. They have either not thought about security and personal integrity, or they have ignored it when they developed this service”, he writes in a mail to Lundagård.
For Studentkortet’s CEO Fredrik Grufvisar, this information regarding deficiencies in treatment of personal information came as a surprise.
“We must always make sure that we are first and foremost representing the student, and that we are working hard for their personal information safety. If this report is true, which I must check, then we will take this very seriously. We will get to the bottom of this”, he says.
According to Fredrik Grufvisare, Studentkortet fixed the security deficiencies on their website after Lundagård contacted him regarding the issue.
The handling of personal information is regulated in the Personal Data Act (personuppgiftslagen/PUL). In short, the law states that personal information may only be handled when it is justifiable. The handling must have support in law, contract or approval and that the one who is handling it must take “appropriate technical and organizational steps” to protect the information. Leaked information can be used, among other things, to hijack your ID and so-called phishing, spam mail with deceptive purpose.
They have either not thought about security and personal integrity or they have ignored it when they developed this service.
Lundagård has been in contact with the regulatory authority on the area of personal information, The Swedish Data Protection Authority, who did not want to comment on individual cases.
This coming May, the EU’s new personal data regulation GDPR will come into effect, which includes further tightening on the demands for handling personal information, and may also mean that companies who do not follow these rules will have to pay several percent of their revenue in penalty.
Footnote: This article was updated after Studentkortet said they had fixed the security deficiencies. Paul is a pseudonym.
