The detailed records of thousands of University of Sydney students past and present are being stored online where they can be easily downloaded and read via an internet connection.
It is understood the university was told about this security threat in February 2007, but did not move to secure the information.
This website was made aware of the breach after it revealed yesterday the university's website was sabotaged and altered at the weekend by a hacker.
Advertisement: Story continues below
Details openly available on the university site include a student's full name, residential address, email address, which courses he/she studied and how much the course cost.
The vice-chancellor of the University of Sydney, Michael Spence, declined to comment on the suggestion that the university had been warned about lax security four years ago, but said he was ''appalled to be notified that some records could be accessed in this manner''. He called the breach an ''anomaly'' and said the university would act immediately to close it.
At about 5.30pm last night, after this website informed the university of the breach, it removed access to the part of its website which had been leaking the data.
The NSW acting privacy commissioner, John McAteer, said that on a preliminary assessment of the evidence shown to him by this website, it appeared the university had breached section 12(c) of the NSW Privacy and Personal Information Protection Act 1998.
Mr McAteer said he would investigate the matter if it was formally reported to him.
A security expert, who wished to remain anonymous, took less than five minutes to access the records of 55 students. All that was required was a students' ID number, but tweaking the numbers in the internet browser's address bar brought up random students' private information.
The breach has to do with the way the university generates invoices to students who use the Higher Education Contribution Scheme, and affects those who no longer study at the university.
One former student contacted by this websitewith a copy of his invoice, Jordan Walsh, 26, said he was ''shocked that that information would be able to be obtained so readily''.
''I would've hoped that the university would've held on to that information.''
When informed the university was warned about the breach four years ago, Mr Walsh, who is a lawyer, said he was outraged and that it was ''pretty unacceptable'' for the university to ''put it under the carpet'' and not do anything about it. ''I hope that they do everything in their power to fix this,'' he said.
A computer security expert and the director of HackLabs, Chris Gatford, said this type of security breach was one of the top five he had witnessed when doing what is known as ''penetration testing'', which is used to test computer systems for security holes.