The Examination Center of Montenegro has filed a report with the police to determine the existence of elements of a criminal offense related to unauthorized access to data and the information system of that educational institution, "Vijesti" learned unofficially from the Police Directorate.
The same sources claim that this was done after Mato Kankaraš, a professor at the Podgorica "Slobodan Škerović" high school, publicly announced on his Facebook profile that he wanted to view the allegedly "publicly available results of the matriculation exam", which students access exclusively with their password or unique citizen identification number.
He did this, as he stated on his profile, by bypassing the "protective layer", making changes to the file itself that he accessed, thus gaining access to the personal identification numbers of almost 5.000 Montenegrin high school graduates. In the post, Kankaraš accused the Ministry of Education, Science and Innovation and the Examination Center of "releasing the JMBGs of Montenegrin high school students", assessing that if he managed to access the data with limited knowledge of that type of file, "he has no doubt that someone has already downloaded this and that this data is already being traded somewhere on the dark web". "In a senseless attempt to preserve anonymity by having everyone only see their own results, which should not be legal because the act of concluding grades is public, the Ministry of Education, Science and the Examination Center of Montenegro, out of sheer negligence, disclosed sensitive personal data of students who participated in this worthless exam. EVERYONE'S HONOR", wrote Kankaraš.
After the Examination Center received information about Kankaraš's post, they filed a report with the police to determine whether there were elements of cybercrime in this case.
When asked for comment, the Examination Center told "Vijesti" that they would not trivialize any attempt at unauthorized access to their information systems.
"Any form of circumvention of technical protection measures, unauthorized access to data or their misuse will be reported to the competent authorities, including the Police Directorate and the Agency for Personal Data Protection and Free Access to Information, in order to determine all relevant facts and the possible responsibility of participants in such actions," they responded.
The Examination Center says that it is crucial that public attention be focused on the essential question - who, how, and with what motive tried to access data that was not intended for them, and not to shift responsibility for such actions to the institution that established the protection system and is taking all available measures to protect student data.
They told parents and the public that regardless of any possible attempts at misuse or unauthorized access to certain segments of the system, there is no possibility of accessing the central databases containing complete data on student results, scores, and grades. They also claim that there is no possibility for any unauthorized person to change scores, grades, or in any other way influence the final exam results.
"The system for publishing preliminary exam results organized by the Examination Center was designed and implemented with the application of appropriate technical and organizational data protection measures. Its main purpose is to enable each student to access exclusively their own data and results, using their unique code or identification number. Any attempt to access data of other persons, beyond the purpose and functionality of the system, represents unauthorized action that may have the characteristics of cybercrime and abuse of information systems," they told "Vijesti".
They also claim that data on students, unique codes and results are located in protected databases to which only authorized persons within their official jurisdiction have access.
"After processing the results, the data is published via a special platform in a way that allows each student to see only their own results, using a unique code or other identification data provided for by the procedures. The system is not intended or intended to access the data of other persons," they explained.
The Examination Center pointed out that in this specific case, the question does not arise as to how the data was protected, but rather why "someone consciously tried to circumvent the established protection measures and access data that was not intended for them."
"Of particular concern is the fact that, instead of pointing out a possible problem to the competent institutions for its elimination, data was obtained and publicly published that could not have been obtained through regular use of the system. Such conduct raises serious questions of responsibility and intent. Namely, the question arises as to why an attempt was made to access the data of other persons, by what methods it was done and for what purpose. It is also necessary to determine whether there was unauthorized access to the information system, collection of data without legal basis or its further distribution to third parties," concluded the Examination Center.
See more:
Download the app and follow the news
FOLLOW US ON
