‘Serious data protection flaw’ in Student Leap Card system

Application system allows Leap Card agents view personal details and phone numbers of students across the country

Student Leap Card application system available to agents across the country.
Student Leap Card application system available to agents across the country.

There is a “serious flaw” in the Student Leap Card system which allows college agents access to the personal details of a large number of students across the country, without their knowledge.

Third-level students can apply for the transport card, which allows them travel at a discount. A new online application system allows students sign up for the public transport card and then collect it from an agent in their college, in most cases their students’ union.

However, the application system allows agents providing the cards to access the personal details, such as name, home address, photograph, mobile phone number, email address, and date of birth, of all students who recently applied online for a card across the country.

The Student Leap Card system is outsourced by the National Transport Authority (NTA), to a firm called Fimak Group. The group includes Credit Card Systems Ireland, a firm who print secure electronic cards, such as ID or loyalty cards.

READ SOME MORE

When a student applies for a Leap Card online, they are provided with a six digit code, which they bring to a Leap Card agent in their college, who verifies they are a current student, and prints off their card. The new online application system was introduced last year.

When an agent begins to type in a code, they are presented with a large number of applications that match the digits input so far, which is only limited down to the appropriate student when the full code is entered.

The IT system for searching applications has been criticised as excessively open by University College Dublin Students' Union (UCDSU).

Students' union president Barry Murphy said there was a concern the current system could be abused, to allow individuals inappropriately access students' details.

Approved

“UCDSU did not want to risk having the personal information of our student members abused . . . As students across the country begin this semester, we need this serious data breach to be resolved immediately,” he said.

UCDSU highlighted the "data protection flaw" in May, according to emails between the students' union and Fimak, seen by The Irish Times.

In response to concerns, an official from Fimak told the students’ union the application system “has been approved by the NTA, and is fit for this purpose”. The email said the service was being reviewed on an ongoing basis, but for now “will stay as is”.

However, internal emails from the NTA to UCDSU in mid-August show the authority shared the students’ union concern, and an official said the flaw needed to be addressed as an issue of “category one importance”.

The students’ union had refused to sign a data processing agreement to provide Leap Cards to students in Belfield, until their concern over excessive access to students’ personal details was addressed.

A spokesman for the NTA said the authority had “worked closely with UCDSU to address their concern and have made some changes to the way in which Student Leap data is stored and processed”. The changes are currently being tested, and will be implemented in the coming days, he said.

Several thousand Student Leap Cards are issued each September, as students starting or returning to college apply for the public transport card at the start of the college term.

Fimak declined to comment on the matter, and referred The Irish Times to the NTA.

Jack Power

Jack Power

Jack Power is acting Europe Correspondent of The Irish Times