In a recent vulnerability test of IT equipment, Linköping University discovered that the administrative interface used by the supplier in the self-service machines in the libraries has exposed information on the internet. The system has unintentionally exposed the information on the internet for 30 days after a book has been taken out. The reason for the exposure is an erroneous implementation in 2012.
In order to gain access to the log files containing the information from the administrative interface, it has been necessary to know the address of the computer. However, it was not necessary to log in to the interface that exposed the log files from the self-service machines. The log files reveal the name and email address of borrowers, and the titles of books borrowed. Personal identity numbers and passwords are not recorded in the log files. Information about books borrowed is considered to be particularly sensitive, since it can, among other things, lead to conclusions about the interests of borrowers.
“As far as we know at the moment, and taking into consideration the prior knowledge that is required and the steps necessary to find this information, we do not believe that any unauthorised person has gained access to the information. It has not been possible to search the information online. LiU cannot, however, completely rule out the possibility, and we have acted without delay, taking all available measures to protect information about our borrowers. We are taking the situation extremely seriously”, says David Lawrence, library director at Linköping University Library.
It is mainly co-workers and students who borrow books from the libraries.
“We will contact with detailed information any affected borrowers who can be identified, as soon as the LiU incident response team has finished its analysis of the log files”, says David Lawrence.
The self-service machines have been taken out of use and all loans are now dealt with manually. A procurement process for new self-service machines was already in progress, and this has an extensive specification of requirements for IT security.
“The procurement process is now much better than it was previously, and LiU places high demands on its suppliers”, says David Lawrence.