Since the news that maths paper two and physical science paper two examinations were leaked to an unknown number of learners, teachers and others, the education department has enlisted the services of a national investigation task team to investigate the leaks.
So far, a worker from a company contracted by the department to print exam papers, Themba Daniel Shikwambana, has been arrested for allegedly leaking maths paper two, and was released on R1 000 bail last week. His case will continue on 27 January 2021.
But questions remain as to how such sensitive information could be breached at such a large scale. Technology, in this case, is both a friend and a foe, but using more secure technology, although not a sure way to prevent a data breach, could significantly reduce the likelihood of a reoccurrence.
How was the information leaked?
University of KwaZulu-Natal maths, statistics and computer science lecturer and cyber security expert, Dr Brett van Niekerk, said in his opinion, the most likely reason the exam papers were leaked was what the information security profession called “an insider threat – that is someone who has legitimate access has either accidentally or maliciously leaked the information,” he explained.
He set the context that many people are involved when exam papers are set and distributed.
“The leak could happen at any stage.”
John McLoughlin, CEO of security tech company J2, said any data breach comes down to “a failure of information security controls and perceived risk to the person involved in the data breach.”
McLoughlin explained that the uncertainty surrounding the leak proves that there is “a massive lack of visibility, limited controls and no monitoring of the entire process.”
He said a breach was easy to pull off if there are no “actionable controls in place” within an organisation.
However, a more sinister reason could be afoot.
“The truth is that if given an easy opportunity, many people can be manipulated, tricked and convinced to make easy money if they believe the lack of controls will make it difficult to get caught.
“It appears that if someone who received the information via WhatsApp had not spoke up, nobody in power would even know that it happened in the first place,” McLoughlin revealed.
Preventing future data breaches
McLoughlin said it would never be possible to fully prevent a data breach. However, measures can be taken to make breaches of this nature more difficult, such as information security controls, effective monitoring and proper risk management.
Van Niekerk suggested ensuring that all electronic copies of exam papers be password protected, and that these passwords are communicated to the intended recipients through a different means than the actual paper.
“That way, there needs to be two ‘breaches’ to get the contents.”
Encryption of any flash drives or emails used to transfer the papers “would also help”, he said.
More advanced security systems can also prevent documents from being forwarded to personal emails, and prevent them from being emailed at all, or copied onto flash drives, without some form of checking.
But still, in theory, van Niekerk said someone could still take a photo of a screen displaying the exam and distribute that image.
Living in a digital age
Due to the electronic and “hyper-connected world” we live in, McLoughlin said there was no way to determine exactly how many students saw the leaked papers.
“As with any large data breach, and due to the speed at which information travels in our world today, we would have to assume that everybody “might” have seen it… We must assume that when it is uncontrolled and public that everybody has seen it.”
Van Niekerk explained that there were many ways in which leaked papers could be distributed among students. Whether distributing papers through physical copies, flash drives, emails or instant messaging, determining the spread is “very difficult.”
And even if an investigation were to ensue to determine an exact number of eyes that have glanced at the leaked papers, van Niekerk said there would be legal and privacy considerations in attempting to do this.
If it was distributed by a webpage download, then there could be a request to make that link or web address unavailable.”
No method is a a silver bullet, but McLoughlin said better understanding the process, ensuring controls are monitored, audited and enforced, and applying a layered is mitigation strategy, would amount to better visibility.
“With visibility, you have the capacity to respond.”