The Information Commissioner's Office has reprimanded the University of York for stuffing up its IT systems so that student records were accessible to anyone.
The ICO blamed a staff member who "failed to realise they had made an error while carrying out work on the University's IT system".
The screw-up resulted in student records being left on a test area of the university's website. Even though there was no direct link from the main site, 148 records were accessed.
Information included dates of birth, mobile numbers, A level results and addresses.
The uni left the files online for over a year from September 2009. Students could access files belonging to other students.
The ICO said because the data was relatively harmless it decided not to fine the university.
Brian Cantor, chancellor of the University of York, signed an undertaking to improve data protection and annual audits of data security.
The ICO is about to launch a campaign to raise awareness of data protection among young people. ®