Head of UCL Estates leaves confidential documents publicly available

Head of UCL Estates leaves confidential documents publicly available

For at least a week, Head of UCL Estates Andrew Grainger accidentally allowed Pi and the general public access to documents designated ‘confidential’, ‘strictly confidential’, and ‘commercially sensitive’, via his Microsoft Outlook calendar.

For those of you unaware of how a Microsoft Outlook calendar works, when senior UCL staff members are in meetings, the time period should be blocked off as ‘busy’. However Grainger’s timetable was set to public, so we could see details of meetings, read relevant emails, and access confidential documents intended for the Senior Management Team’s eyes only.

busy calendar

This is what an SMT calendar should look like

This was perhaps the worst kept secret in the UCLU offices, with Pi receiving multiple tip-offs from different sources on where and how to access the information.

Grainger eventually noticed the gaping hole in UCL’s cyber security and turned his calendar to private, but in the time the calendar was left public, confidential documents were left completely open for public consumption. Protesters were also able to use it to work out where to go if they wanted to target senior management.