Boğaziçi Targeted Scholar: We Detect Unauthorized Access to Personal Information

CANAN COŞKUN

[email protected]

@canancoskun

Four academics working at Boğaziçi University were targeted by the pro-government newspapers Sabah, A Haber, Calendar and Yenişafak. Academics in the news where their names and photographs are used ‘He stole some documents by pressing the Information Processing Center’ claimed.

photo: facebook

One of the academics targeted, the Chairman of the Information Technologies Council at Boğaziçi University, Prof. Dr. Tuna Tuğcu said that four instructors from the Information Technologies Council visited Information Technologies to obtain information, due to a sense of security risk in Information Technologies due to their roles.

professor According to Tuğcu’s report, it was revealed that the company, which received security consultancy services during the visit on Friday, June 10, had access to databases containing personal information of students, alumni , academics and administrative staff at Boğaziçi University.

Four academics targeted by pro-government newspapers and websites are actually members of the Information Technologies Council at Boğaziçi University. It is among the tasks of the board to make decisions that ensure the smooth functioning of the university’s information technology infrastructure in terms of software and hardware, and to monitor the implementation of this decision.

Appointed Mayor of Üsküdar Municipality

The Information Technologies Directorate (BIM), which is supervised by the Information Technologies Directorate, was linked to the newly created Information Processing Department with a recent restructuring. Faruk Yakaryılmaz, manager of the IT department of the municipality of Üsküdar, has been appointed chairman of the presidency.

Tuğcu, the chairman of the board, and three academics on the board went to the Information Processing Center on Friday, June 10, 2022, and received information from the center’s staff, as they heard about an information security vulnerability in the University IT department. professor According to Tuğcu’s statement, two important and dangerous situations were detected during the inspection.

Direct and negotiated tender

In the audit of the Directorate of Information Technologies, the newly created presidency directly and article 21 of the Public Procurement Law ‘f’ It was understood that he made a service purchase with the method in the clause. According to the article of the law, the administration can acquire goods, materials and services at an approximate cost of up to TL 50 billion through bargaining.

It was understood that, within the scope of the direct contracting of services, a company was granted access to four databases containing personal information on professors, administrative staff, students and graduates.

‘This information cannot be requested in good faith’

Another contracting of services by invitation and negotiation was related to a consultancy received in the scope of the Information and Communication Security Guide. Here, too, the company asked for the admin password of the servers in BİM.

The company has also requested that the SSL certificates it will issue be uploaded to BİM servers so that company employees can access BİM servers without a password whenever they want, and that the university’s data traffic be reflected on another port and logged. professor According to Tuğcu, these rights requested by the company have nothing to do with the service received.

Tuğcu stated that the information that the company must request in the first purchase of the service is not the users’ real information, but information such as first-last-name, telephone, residential address, parents’ names, mother’s surname before marriage.This information cannot be requested in good faith. Any information maintained is a risk. You don’t keep unnecessary information so that a possible hacking event can be circumvented with minimal damage.” it says.

Tuğcu says these requests are also contrary to the Information and Communication Security Guide prepared by the Office of Digital Transformation of the Presidency. In accordance with the Personal Data Protection Act, this information can only be shared with the consent of each user.

The Rectory did not announce the vulnerability

professor Dr. Tuğcu said that as soon as they detected the security vulnerability in question, they wanted to explain the risks to the dean of Boğaziçi University, but the dean would not allow it.

After this step, targeted news was published in Sabah, A Haber, Calendar and Yenişafak. The board members were fired by the rectory without notice on Friday, June 10, after which the board was disbanded. professor Tuğcu stated that the administration of Boğaziçi University made no statement and said:

We do not have the slightest information that an investigation has been initiated or will be opened against us. We read this information from the newspaper. We are the authorized body in this business. We were dismissed at jet speed without being asked. We learned from the press that a crime was invented against us, such as extortion of documents without any foundation. So far, the rectory has not commented.”

‘The Rectory has not yet informed’

professor Tuğcu said that the rectory has not yet notified the holders of that information that the security of personal data has been breached, and that the rectory must inform all faculty and administrative staff, students and all graduates, and identify and punish those responsible for this security. of information. violation.

Contrary to what was reported in newspapers and pro-government websites, the speaker said that the meeting at the Centro de Informática ‘it was a meeting within the scope of respect and a positive attitude’ said.

Stating that the people working at the center are his former colleagues, Tuğcu said: “As a Council, if there is an Information Processing problem, it is our primary duty to deal with it. If we hadn’t done that, we would have committed a crime.” said.

Leave a Comment