Because of an administrative error, hundreds of employees were able to book, modify, or cancel colleagues’ work trips in Radboud University’s new travel module. They were also able to view personal data. The error has been corrected today, on Wednesday.

Cancel a dean’s train ride? Change the seat number of the science professor who is flying to the US to a seat next to the toilet? Or book a trip including any hotel accommodations for a colleague without them knowing about it? It was all possible at Radboud University.

Due to an administrative error, hundreds of employees were able to access travel details of colleagues. They had been wrongly assigned the wrong authority, which allowed them to not only book trips for themselves, but also to take a little look at the upcoming trips of others. Flight numbers, hotel details, and personal data (which included mobile numbers) were accessible to all.

Travel agency

Since the 27th of February, employees of the Radboud University have been required to arrange their multi-day trips abroad through the website of a travel agency called VCK Travel. When employees create an account there, they open a menu where they can book – and eventually modify – a trip for themselves. They can also authorize other employees to do that for them.

However, more than 650 employees were mistakenly assigned the status of Travel Arranger. This error lies in simple carelessness, according to a VCK Travel spokesperson. ‘The university assigned roles to individuals who should not be authorized to do so.’

When asked, a spokesperson of the university admitted to the fact that something had indeed gone wrong in the administrative process. ‘When the system was introduced, all employees who can place purchase orders (on behalf of the university, ed.) were also assigned the role of Travel Arranger. However, this should not have been the case for some employees.’

‘That role is only meant for employees who need to be able to book travel for several people, such as management assistants,’ explained the spokesperson. People in support departments, such as HR and IT, should also be able to hold such rights.

Error fixed

The error has since been rectified. The number of employees with an incorrect status has been reduced to “a little over a hundred” since Friday, 3 May, according to the university spokesperson. This happened after VCK Travel received a report from an employee and after enquiries from Vox.

The company contacted the university. ‘After a report was made to us of the situation last week, discussions were held with the university on how to correct it,’ said the VCK Travel spokesperson.

The matter has not yet ended with the withdrawal of right, as the university is considering putting a limit on the rights to book trips for others to its own department in the future. There has been no report of a data breach, the university spokesperson said when asked.

Put it to the test

In order to see exactly how vulnerable the system was to leaks; Vox tested it last Friday. This happened shortly after an employee of the Faculty of Science reported to the editorial office, saying that he himself, as well as some colleagues, could simply view and modify the work trips of others.

It went like this: After the co-worker logs in to the online module, a list of some 2,500 other Radboudians who have an account on the website immediately appears. This includes people from all departments and faculties.

With a few clicks, an overview of all booked trips follows. For each booking, details can be seen: flight or train numbers, sometimes even including seat numbers, the address of the hotel, the total price and the phone number given to make last-minute changes.

Some three hundred such trips were involved in this. From a few PhD students who were flying to Italy and staying in a hotel there, to a professor travelling to Estonia for a few days. And from a dean going to Belgium by train, to a professor visiting two cities in the United States. It can all be seen, and most importantly, it can all be changed.

Thus, the science faculty employee can adjust the seat number and baggage weight for the flights of the employees mentioned above. They can even rebook the entire flight. Hotel stays can also be changed.

Additionally, an employee is able to make bookings for colleagues without their knowledge. ‘Of course I didn’t do any of that,’ the employee immediately declares. ‘But it is still incredibly crazy that I could simply do this.’

Return trip to Brussels

In order to see if it actually works in practice, we asked the employee to go a step further. We get him to book a return train ticket to Brussels for the author of this article.

It works without any difficulties. To book, however, a six-digit ‘travel request number’ must be entered. That number links the journey to a previously approved application in BASS, which is the digital system for employees. But upon booking, it turns out that the fictitious code 123456 suffices.

A message appears on the screen, saying that the booking was successful. A ticket to the capital of Belgium on the 22nd of July has been booked in the reporter’s name, without any action on his part. The return trip for the following day has also been booked successfully. The cost: 55 euros. A few minutes later, the train tickets arrive in the mail.

To check whether it is just as easy to cancel a trip, a fellow employee of the Faculty of Science who holds the same rights on the website jumps in. And yes, with just a few clicks, the ticket has been cancelled, again without any interference from the traveller himself.

Not much later, an email follows from the accounts payable department that an invoice has arrived from VCK Travel. Plus, some additional questions and an urgent request to do the application according to the rules in the future. But nowhere does the enclosed invoice and message show that the trip was not booked by the Vox author himself at all.

‘It’s only about one single train ticket now. But I could have booked a group trip to the other side of the world for ten random people just as easily,’ says the employee of the Faculty of Science in amazement.

Even after Vox had reported the error, the employee was still able to operate as Travel Arranger for two more days. It is only Wednesday morning that he had reported to us that the rights have now been taken away from him too – rightly so.

Translated by Lieke Stevens