On 28th July 2020, cyber-security publication BleepingComputer reported that a hacker group, known as ShinyHunters, was leaking stolen user databases from a variety of websites. Among them was ProctorU – the online proctoring service used to monitor 45% of Western Sydney University (WSU) exams last semester.
Hackers published 444,000 user records from ProctorU databases. The leaked information included usernames, passwords and addresses. University of Sydney, University of New South Wales and University of Melbourne have been reported as victims of the breach. W’SUP reached out to authorities at WSU to investigate their response to the crisis.
A Western Sydney University spokesperson informed W’SUP that AusCERT has investigated the breach on behalf of all Australian universities. The investigation concluded that Western Sydney University was not affected by the cyber-attack.
The spokesperson added that the exposed data was from a testing server and included information on clients from 2016 and before. This precludes WSU’s use of the service and thus no personal records were stolen. ProctorU has assured the spokesperson that security has been further tightened since this incident.
Furthermore, ProctorU is obligated to disclose any confirmed data breach within 48 hours, as per their contract with the university.
Despite the widely publicised security failure, ProctorU is here to stay. The spokesperson mentioned that online proctoring was necessary to ensure high levels of academic integrity. However, the university is scaling down the number of exams being proctored online.
In the autumn/1H 2020 examination period, 45% of exams were conducted using ProctorU. For spring/2H 2020, only 10% of exams will be conducted via the service. The spokesperson has mentioned that these exams need to be invigilated online to ensure course progression and meeting accreditation requirements.
Western Sydney University students had previously raised questions about ProctorU. Around 3,500 WSU students had signed a petition opposing the use of ProctorU. They had suggested alternatives to traditional final exams, such as implementing take home exams instead. News of the breach has bolstered existing concerns about invasion of privacy and insufficient data security. It remains to be seen whether similar demands will be made despite reassurance from the WSU authorities.
A spokesperson from WSU assured W’SUP and students that the only data collected is that which relates directly to the operation of the exam. The university also has an agreement to ensure that ProctorU protect student and staff data in accordance with university policy. All data is owned and controlled by the university which is then deleted after the exam results are finalised.
The Student Representative Council (SRC) has put out a three-part post on Facebook. This details their response to the use of ProctorU for examinations. The posts are arranged in the following order :