The loophole leaves students vulnerable to be being contacted by predators. Picture: iStock
The loophole leaves students vulnerable to be being contacted by predators. Picture: iStock

Creepy email loophole puts kids at risk

Famous actors, politicians, sports stars and TV personalities are among the thousands of parents whose children may be at risk due to a cyber security loophole affecting Australian schools.

The glitch relates to the formulas schools use to create students' email addresses. These are often some combination of the child's name, which can be very easy to guess.

This is a particular concern for schools that just use the student's first and last name, such as NSW public schools and many NSW and Victorian private schools, as it is extremely easy to figure out.

Most schools in Australia use the Google Education Suite and the loophole means potential predators can verify a student's email in Google Hangouts and make contact with them.

There is no security in place to stop people that aren't in the school system from contacting students.

Along with emailing students, strangers can also share Google Docs with children and communicate through that method even if their student's email address is disabled.

Even the children of well-known Australians - such as Bill Shorten, Dannii Minogue, Jessica Marais, Lleyton Hewitt, Karl Stefanovic, Tanya Plibersek and others - are having their privacy put at risk by this loophole.

Australian Students Privacy Coalition's spokesperson, Michael Uren, told news.com.au it gave predators potential access to all kinds of information.

"The problem arises once you know the first and last name of a child you want to contact then you can easily find them," Mr Uren said.

"Say you don't like a particular football player or politician and decide you want to contact their child as a way to hurt them. All you need to know is their first and last name."

He said it was also an issue when schools had athletics or swimming carnivals and post the names of the children who placed in the events.

"There are thousands of kids on these lists and it includes what schools they go to," Mr Uren said.

"Between a few different sources you have found kids who are nearby, where they go to school and a direct means to contact them.

"Predators can exploit this and use it to groom children."

The concern about students' emails has recently been brought to the attention of every state and territory education minister and department secretary in a letter written by eSafety Commissioner Julie Inman Grant.

"We understand the email naming conventions used by some state and independent schools may be easy to guess and validate, if account privacy and security settings are inadequate," Ms Inman Grant said.

Australia’s eSafety Commissioner Julie Inman Grant has written to the country’s education ministers warning them about the security risk.
Australia’s eSafety Commissioner Julie Inman Grant has written to the country’s education ministers warning them about the security risk.

"This could increase the likelihood of a person who presents a risk to a child using their school email address to initiate contact with them."

She urged schools across the country to "help protect students" by making sure their online systems and naming conventions are as safe as possible.

"eSafety provided brief guidance on how schools could use other email identifiers and recommended their ICT (information technology) and security personnel examine whether the configuration of Google Apps for Education ensures the privacy and security of students and their accounts," she said.

"We will continue supporting State and Territory Education Departments with best practice online safety guidance and resources, as well as teacher professional learning and development."

The NSW Department of Education said it was investigating the "feasibility" of adding a random number to student's email addresses and would consider making changes based on the findings.

"The department already has technical measures in place to protect students, including filtered internet browsing and restrictions on using services that are deemed to present unacceptable risk, such as Google Hangouts," a NSW Department spokesperson told news.com.au.

"More importantly, the department teaches students good digital citizenship by teaching them how to maintain safety while using the internet when they are not on the department's network.

"We are not aware of any students reporting unsolicited emails from strangers, but we would take immediate appropriate action if such an incident were brought to our attention."

A spokesperson from Australia's Department of Education told news.com.au it was up to each state's government, education authorities and school authorities to decide what technology and products were used in schools.

"Minister for Education Dan Tehan instructed the department write to every state and territory education authority expressing his concern and asking them to act," the spokesperson said.

Email addresses created using student’s first and last names are extremely easy to access. Picture: iStock
Email addresses created using student’s first and last names are extremely easy to access. Picture: iStock

News.com.au has also contacted the NSW Department of Education and the Department of Education and Training Victoria for comment.

Some schools, such as Victorian public schools, already have email addresses that comprise letters from student's names and numbers, making them harder to guess.

However Mr Uren, who has two primary school aged children, claims there is another privacy issue affecting kids in the Victorian public system.

He said the contact details of students and teachers had been added into a Google list, which could be seen by anyone added to it.

"There are over 200,000 teachers and students all in one massive searchable list," Mr Uren said.

"If you have a paedophile teacher, they have access to the personal information of thousands of students across the state. If a parent had their child's login they could use it to talk to other kids. If somebody wanted to copy all the details of the kids and sell it online they could do that as well.

"It is an accident waiting to happen."

Mr Uren claimed he previously contacted the Victorian Department of Education about this issue but was left "dumbstruck" when he was told nothing would be changed.