Proctorio failed to inform TU/e about possible leak
Proctorio informed TU/e only yesterday, just before midday on Wednesday 15 December, about a leak that gave outsiders access to students’ webcams and online accounts. The leak was discovered in June. TU/e has been using anti-cheating software Proctorio during at-home exams since March 2020. ESA director Patrick Groothuis wants to know why Proctorio didn’t report this sooner.
According to the statement that was sent to TU/e at 11:52 hrs. yesterday, Proctorio was informed about the ‘vulnerability’ within its system by RTL Nieuws on June 17 of this year. RTL Nieuws had asked a group of ethical hackers to hack into Proctorio’s software. The leak was fixed on June 24, Proctorio says.
Patrick Groothuis, director of Education and Student Affairs, says that he didn’t hear anything from Proctorio about this matter in the period during which the hacking attempt and the fixing of the leak occurred. The first time he heard about this was yesterday. Groothuis: “We are in regular contact with Proctorio. We are currently discussing this issue. One of the things we want to have cleared up is why we weren’t informed sooner.”
Damage
Groothuis says that there are no signs at this point that the software’s vulnerability was actually misused and that TU/e students suffered any damage as a result. TU/e only uses Proctorio in case corona leads to capacity problems on campus and adversely affects the university’s ability to hold exams, Groothuis says. TU/e is also running small-scale pilot projects with Proctorio, he says, “for authentic assessments and selection tests, for example, or at the request of individual students in unique situations, such as for top-level student athletes.”
The ESA director says that he remains convinced that Proctorio is optimally secured at this point. In July of last year, Groothuis announced that TU/e will explore, in collaboration with SURF and a number of other institutions, the possibility of carrying out an audit on Proctorio’s software. Did such an audit take place?
“TU/e closely collaborates with SURF with regard to assessments,” Groothuis says. “Practically every university has been paying special attention to Proctorio’s security. The University of Amsterdam has gone through a long process in 2020 with regard to the audit in order to safeguard privacy and security. Proctorio’s Zero-Knowledge encryption was properly examined for that purpose. Proctorio was asked to conduct pen tests on both its cloud solution and its browser plug-in, and they have by now been ISO 27001 certified. SURF and TU/e continuously monitored this very closely.”
Discussion