Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security United Kingdom

Law Student Claims Unfair Discipline After He Reported a Data Breach (computerweekly.com) 75

An anonymous Slashdot reader shared this report from Computer Weekly: A former student at the Inns of Court College of Advocacy (ICCA) says he was hauled over the coals by the college for having acted responsibly and "with integrity" in reporting a security blunder that left sensitive information about students exposed. Bartek Wytrzyszczewski faced misconduct proceedings after alerting the college to a data breach exposing sensitive information on hundreds of past and present ICCA students...

The ICCA, which offers training to future barristers, informed data protection regulator the Information Commissioner's Office of a breach "experienced" in August 2023 after Wytrzyszczewski alerted the college that sensitive files on nearly 800 students were accessible to other college users via the ICCA's web portal. The breach saw personal data such as email addresses, phone numbers and academic information — including exam marks and previous institutions attended — accessible to students at the college. Students using the ICCA's web portal were also able to access ID photos, as well as student ID numbers and sensitive data, such as health records, visa status and information as to whether they were pregnant or had children... After the college secured a written undertaking from Wytrzyszczewski not to disclose any of the information he had discovered, it launched misconduct proceedings against him. He had stumbled across the files in error, he said, and viewed a significant number to ensure he could report their contents with accuracy.

"The panel cleared Wytrzyszczewski and found it had no jurisdiction to hear the matter," according to the article.

But he "said the experience caused him to unenroll from the ICCA's course and restart his training at another provider."
This discussion has been archived. No new comments can be posted.

Law Student Claims Unfair Discipline After He Reported a Data Breach

Comments Filter:
  • by Rosco P. Coltrane ( 209368 ) on Sunday June 02, 2024 @10:45PM (#64518923)

    He could sue his alma mater. And it would could as practical work towards his degree too.

  • Education (Score:5, Insightful)

    by systemd-anonymousd ( 6652324 ) on Sunday June 02, 2024 @11:01PM (#64518945)

    Sounds like the education system taught him a valuable lesson about trusting authority

    • Re:Education (Score:5, Insightful)

      by thegarbz ( 1787294 ) on Monday June 03, 2024 @01:16AM (#64519037)

      Sounds like the education system taught him a valuable lesson about trusting authority

      Indeed. Someone reported something. Was investigated to see if there was misconduct in the process, and was ultimately cleared when matter explained to misconduct panel. The system is working just fine. It just seems some people want to whine about it and claim it was unfair.

      The guy had access to sensitive information and by his own admission looked at a significant amount of it. That sort of things needs to be investigated by a misconduct panel. There's nothing "unfair" about the process.

      Seriously this is a law student. If he can't handle the concept of being put in front of a panel to question something even if he thinks he's in the right, he has no business being in law (or at the very least I hope he's only planning to be a simple solicitor rather than anyone who has anything to do with courts).

      • Re:Education (Score:5, Insightful)

        by Bongo ( 13261 ) on Monday June 03, 2024 @02:05AM (#64519075)

        Technically, the moment you see something you're not supposed to see, you step away from the computer. But in real life, how do you send a bug or security report without gathering material? The organisation could claim they cannot reproduce the issue, and that there's nothing to see, or even accuse you, along the lines that if you really did see what you claim to see then you must have been misusing the system because the system is secure. And if you don't report it, when it eventually does get reported and it gets investigated, you will show up in the logs as someone who accessed stuff (your original accidental view) and get reprimanded because you should have reported it, and given you didn't, what else were you up to?

        • Technically, the moment you see something you're not supposed to see, you step away from the computer. But in real life, how do you send a bug or security report without gathering material?

          Well you could do what I did when I found a US national lab I was working at at the time had left its email vacation and forwarding system wide open by using passwords that defaulted to be the username. Helpfully they had also documented this on the web which I found when looking for how to set my vacation message. The system would let you login as anyone who had not changed their password and get copies of their email forwarded to any address you liked! I asked my office mate if I could try his account to

          • The lab was being ridiculously strict about computer security at the time - although their head of computer security was an aggressively incompetent idiot

            This describes a lot of security at banks and Fintechs.

          • by Bongo ( 13261 )

            Cool story, thanks. :)

        • But in real life, how do you send a bug or security report without gathering material?

          You don't. But that doesn't absolve you from an investigation afterwards just because you were a good boy and reported something.

      • Re:Education (Score:5, Informative)

        by VeryFluffyBunny ( 5037285 ) on Monday June 03, 2024 @03:04AM (#64519111)
        You've clearly never had to work with archaic British institutions like this one. They take every opportunity to intimidate & mislead individuals, & shift blame that comes their way. From my understanding of how they operate, this is more than likely a clear case of shooting the messenger. Wytrzyszczewski was right to seek another training provider precisely because of this typically unethical breach of trust. Would you trust them to fairly award grades & write letters of recommendation after this?
      • Gaslighting. The process is a punishment

  • by JustAnotherOldGuy ( 4145623 ) on Sunday June 02, 2024 @11:16PM (#64518959) Journal

    It's 2024 and this lame-ass bullshit is still happening...wtf.

    How are these numbnuts still creating/producing the same stupid, old security holes after all these years? Are they getting their code snippets off of Stack Overflow from 20 years ago?

    • by Antique Geekmeister ( 740220 ) on Monday June 03, 2024 @12:19AM (#64518997)

      "We didn't budget for any changes."

    • by Bongo ( 13261 ) on Monday June 03, 2024 @02:08AM (#64519079)

      It's 2024 and this lame-ass bullshit is still happening...wtf.

      How are these numbnuts still creating/producing the same stupid, old security holes after all these years? Are they getting their code snippets off of Stack Overflow from 20 years ago?

      No, they're getting their code snippets off of the AI (which got them off of Stack Overflow from 20 years ago).

    • by Opportunist ( 166417 ) on Monday June 03, 2024 @02:18AM (#64519085)

      Are they getting their code snippets off of Stack Overflow from 20 years ago?

      Yes, and it's getting worse.

      Stack Overflow and Stack Exchange have been the staple of cargo-cult programmers worldwide. It's so convenient! You type in the problem you have and someone will have created some boilerplate code that does what you need to do. Adjust a few variables and move on.

      Yeah, so far the theory. There are a few caveats though.

      1. Not necessarily the person writing that code knows a lot more about programming than you. SO and SE are mostly kingdom of blinds with one-eyed kings.
      2. Even if they know what they do, that is demo code only. Nobody gives half a fuck about making that code secure. Again, provided they could in the first place.

      What's worst is that this way, bad coding practices get fortified in the brains of young cargo-cult programmers. After some years of doing source code audits, you can easily spot cargo-cult coding when it hits you. Lots of unnecessary lines of code that do nothing because they actually did something in the boilerplate they copied from, then erased a few lines where those lines actually did something, but it's left in because else it magically stops working and the cargo-cultist has no clue why... because he has no clue what these lines do in the first place.

      I don't think I have to detail why this is death to secure code.

      And now we reach the second act of the tragedy: AI. AI now draws from SO and SE, adds a dash of vision (sorry, we're talking about AI, not CEOs, so it's hallucination) and barfs it at the feet of our cargo cultist. Who now not only has no fucking clue where the boilerplate came from but also has zero chance to dismantle the Frankensteinian code mess he has there. It may even compile. If lady luck decides to have a good day, it may even do what it should do... most of the time.

      But I hope I don't have to explain why security-wise, this isn't just a nightmare, it's a death wish.

    • well, have you seen the list of the top 100 passwords? Users are still ignoring all pleas to please use something that can't be guessed, and yes, there are a bunch of users still using 123456 or a variant (654321) of it as a password/pin code, or password or other similar passwords .

      Ref: https://en.wikipedia.org/wiki/... [wikipedia.org]

      Ref: https://parade.com/living/most... [parade.com]

      As always, this message will self-destruct in 5 seconds... be safe out there.

    • It's 2024 and this lame-ass bullshit is still happening...wtf.

      It's 2024 and people are using their own identity and not posting anonymously..... wtf.

  • by Pravetz-82 ( 1259458 ) on Monday June 03, 2024 @12:16AM (#64518989)
    It is the UK.
    These matters seem to be very country specific, so knowing the country is an important context.
    • I don't think this is country specific. Going to an institution and telling them you accessed significant amount of sensitive information about other students will make you face a misconduct panel. That is normal.

      And a panel then dismissing it on grounds of a technicality ... well that is normal for the legal profession. Literally nothing to see here.

    • These matters seem to be very country specific, so knowing the country is an important context.

      I think you'll find a ready supply of idiots available in all countries. The only specifics that seem to vary by country is whether the idiots are making the laws or enforcing them. It tends to get even more interesting when they are doing both.

  • by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Monday June 03, 2024 @12:17AM (#64518993) Homepage

    Always the best way of preventing an embarrassing disclosure in the future! Oh, wait, what is that you are telling me now ? A ransomware demand ? They got in because we did not bother to install updates ? Quick blame that new guy who we employed last month and put out a press release that says "Lessons will be learned".

  • by AlanObject ( 3603453 ) on Monday June 03, 2024 @12:36AM (#64519009)

    ... Wytrzyszczewski ...

    Must be nice to have a surname that is also a strong password.

  • He most be a friend of Grzegorz Brze,czyszczykiewicz [youtube.com]
    • It's difficult to write, but it is not that difficult to read.
      In Polish spelling, there are combinations of letters that produce one sound.
      cz makes a "ch" sound (like "chess")
      sz makes a "sh" sound ("shell")
      rz makes a sound that does not really exist in the English language, but it kind-of sounds like "j" in "jelly". Its basically the "ch" or "sh" equivalent for the letter "z".
      "e," sounds like "en"
      "a," sounds like "on"

      Its funny to me how "rz" is different from the others. It's like when they were trying to f

      • by abies ( 607076 ) on Monday June 03, 2024 @05:30AM (#64519275)

        Story behind rz is a bit different. In Polish we have letter "z-with-dot" which sound similar to french 'j' (like in "je" or "jalousie"). Way r is pronounced is Polish is close to "z-with-dot" tongue-wise (r is front of palate, z-with-dot is middle of palate, vibrating in both cases, even if slightly differently).
        In old Polish, a lot of words had "r" in some places, which, due to language evolution (and probably people getting lazy, as rolling r is harder to say than "z-with-dot") slowly converted into z-with-dot. But in meantime, they were something in between r and "z-with-dot" and "rz" was used to signify that. These days, it should be just "z-with-dot", but it is a spelling mistake, because you know, poets from 150 years ago and old people.
        For normal Pole, "rz" and "z-with-dot" is pronounced exactly the same. Same for "u" and "o-with-accent", and "h" and "ch". Some people will claim there is a small difference, but they are mostly snobs - more than 95% of people won't know the difference.
        Useful ones are "cz", "dz", "dz-with-dot", "dz-with-accent", "sz", they really indicate separate sounds.

        https://en.wikiversity.org/wik... [wikiversity.org]

        • Interestingly I heard "r" (without the "z" after it) pronounced more like r (the way a Lithuanian or a Russian would say it) and in no way similar to "z" or "rz". Words like rynek, parowoz or Warszawa, I have always heard the "r". Or course, as my native language is not Polish I probably hear many sounds incorrectly and say them incorrectly as well. For example, I pronounce the L-with-a line not much differently than a regular L, but a bit harder (similar to the difference between i and y or between the Rus

          • by abies ( 607076 )

            Yes, rolling r sounds completely different to z-with-dot/rz. But if you start saying it and then move your tongue just a bit back on palate, rz comes out (or sz, if you stop the tongue vibration). So it is "anatomically" close, not close by sound.

            • Oh, that makes sense I guess. Polish spelling is a bit weird, but nowhere near as weird as English. The other weird part is that "e," sounds like "en", but "a," sounds like "on". Why not use "o," instead? Though I guess maybe at some point in time it did sound like "an".

              This is coming from a Lithuanian speaker :) We have "a,", "e,", "i," and "u,", these days they just mean a slightly longer sound, but it used to be added n a long time ago.

        • Thank you! I have Polish colleagues and have been wondering about pronunciation for a long time.

          I usually come close when I first hear their name, but if I don't see them for a few months I end up flubbing it.

        • Back in the late '70s and early '80s there was a popular cop show/comedy, Barney Miller [wikipedia.org], and one of the detectives, Detective 3rd grade (later Sergeant) Wojciehowicz constantly had people asking how to pronounce his name; his answer was, "You pronounce it the way it's spelled." This, of course, was less than useful unless you knew Polish. His co-workers simply called him "Wojo."
        • by mjwx ( 966435 )

          Story behind rz is a bit different. In Polish we have letter "z-with-dot" which sound similar to french 'j' (like in "je" or "jalousie"). Way r is pronounced is Polish is close to "z-with-dot" tongue-wise (r is front of palate, z-with-dot is middle of palate, vibrating in both cases, even if slightly differently).
          In old Polish, a lot of words had "r" in some places, which, due to language evolution (and probably people getting lazy, as rolling r is harder to say than "z-with-dot") slowly converted into z-with-dot. But in meantime, they were something in between r and "z-with-dot" and "rz" was used to signify that. These days, it should be just "z-with-dot", but it is a spelling mistake, because you know, poets from 150 years ago and old people.
          For normal Pole, "rz" and "z-with-dot" is pronounced exactly the same. Same for "u" and "o-with-accent", and "h" and "ch". Some people will claim there is a small difference, but they are mostly snobs - more than 95% of people won't know the difference.
          Useful ones are "cz", "dz", "dz-with-dot", "dz-with-accent", "sz", they really indicate separate sounds.

          https://en.wikiversity.org/wik... [wikiversity.org]

          And this ladies and gentlemen, is why the Poles will never conquer the world.

      • by rossdee ( 243626 )

        Its pronounced Control V

  • by Tablizer ( 95088 ) on Monday June 03, 2024 @01:13AM (#64519033) Journal

    Having worked and complained in a bureaucracy, they treat whistle blowers like shit. Bureaucracies are experts at being passive aggressive: delay, ignore, deflect, make you fill out forms to harass you, etc. They are experts at passing the buck. I gotta say I'm impressed at their arsenal of techniques for passing the buck. I gave them plenty of opportunities to explain how what I was complaining about was rational to leave as-is. It's as if a direct answer would burst their spleen open, so they dance around it like Gilligan on crack.

    • by Bongo ( 13261 )

      Having worked and complained in a bureaucracy, they treat whistle blowers like shit. Bureaucracies are experts at being passive aggressive: delay, ignore, deflect, make you fill out forms to harass you, etc. They are experts at passing the buck. I gotta say I'm impressed at their arsenal of techniques for passing the buck. I gave them plenty of opportunities to explain how what I was complaining about was rational to leave as-is. It's as if a direct answer would burst their spleen open, so they dance around it like Gilligan on crack.

      Responsibility is diluted and distributed -- and in a philosophical sense, a group has no agency, only an individual can have agency -- so yeah, bureaucracy can't own the fault. The sad thing is that this is a feature not a bug.

      Now back to Kazuo Ishiguru's "Living"

      • by Tablizer ( 95088 )

        > Responsibility is diluted and distributed

        It's like that Spiderman clone meme where all the spidies are pointing at each other. They are all partly correct: it's a group un-effort.

        > and in a philosophical sense, a group has no agency

        The top person could start the ball rolling on reforms, but if the problem is buried in the tangled maze, their critics or the public doesn't know or care.

    • I've seen something similar recently, been wondering if it's gotten worse lately, or it was always like that (and I just didn't notice).
  • by devslash0 ( 4203435 ) on Monday June 03, 2024 @01:57AM (#64519065)

    I'm pretty sure that if this went to court he'd still be charged with breaching several cyber crime laws. Unauthorized access is unauthorized access. Lawyers would argue in court that if he came across all the data in error, he should have stopped at the first record and notified relevant people immediately instead of browsing around further.

  • by Opportunist ( 166417 ) on Monday June 03, 2024 @02:21AM (#64519089)

    This field is where you write your last name, not your damn password! No wonder we got data breaches!

  • by sudonim2 ( 2073156 ) on Monday June 03, 2024 @02:24AM (#64519091)

    Bartek Wytrzyszczewski faced misconduct proceedings after a cat walked over the keyboard and spelled his last name into a text field.

  • by EkriirkE ( 1075937 ) on Monday June 03, 2024 @04:14AM (#64519181) Homepage
    I had the same thing happen to me in high school; I showed the IT person that it was possible to navigate the entire school district document structure and I was promptly banned from using school computers.
  • ... as they like leaking data and punish those who report it.

  • Otherwise, they would have followed through with the beatings until morale improved.
  • by jenningsthecat ( 1525947 ) on Monday June 03, 2024 @07:30AM (#64519463)

    Shoot the messenger, just because he's the immediate cause of your discomfort. Waste resources on punishing him - resources that would be better spent on fixing the actual problem and mitigating as required. Make an enemy of someone who's moral, conscientious, and helpful, and who had your back when he could have been lazy or greedy instead.

    All this from a law school. I'm still shaking my head over this.

  • by gweihir ( 88907 ) on Monday June 03, 2024 @07:53AM (#64519515)

    Yes, it is about the most dumb move you can do. But some people think it is a good idea. No idea how mentally dysfunctional you have to be to make that mistake.

  • After all, "Wytrzyszczewski" sounds like a data breach...
  • Is this article some sort of steganography? lol
  • This is yet another example of management covering their own a(r)ses. Instead of allocating blame with the designers of the said computer system.

    ICO alerted after technical ‘issue’ exposed college files to student barristers [computerweekly.com]

    A training college for barristers has reported a data breach that left sensitive data on hundreds of current and former students accessible to other trainees
  • by Mirnotoriety ( 10462951 ) on Monday June 03, 2024 @05:04PM (#64521083)
    @thegarbz [slashdot.org]: “Indeed. Someone reported something. Was investigated to see if there was misconduct in the process, and was ultimately cleared when matter explained to misconduct panel. The system is working just fine. It just seems some people want to whine about it and claim it was unfair.

    a: The someone was the student and instead of thanking him they decided to trash his reputation and ruin his employment prospects.

    b: Did the ICCA inform the Information Commissioner’s Office (ICO) that the source of the information regarding the breach was the self same student.

    c: “The barrister-in-training said he was afforded no representation at the subsequent panel hearing.

    and finally ..

    d: “After the college secured a written undertaking from Wytrzyszczewski not to disclose any of the information he had discovered, it launched misconduct proceedings against him.

"Pull the trigger and you're garbage." -- Lady Blue

Working...