The university says that the Information Commissioner's Office (ICO) has been notified, as have the students whose details were compromised.
Infosecurity understands that the ICO is investigating the data breach, which involved student's names, addresses, A-level results and mobile phone numbers being listed on a web page, which was accessible via a student enquiry page.
In a press statement, the University of York says it took immediate action to rectify the problem, as well as apologising to the affected students. The university has also launched a review of its IT systems and procedures to ensure the problem will not happen again.
Although the reasons why the student data was published on the university website have not been revealed, security experts gave a firm thumbs down for the university's security governance.
Aziz Maakaroun, business development director with Outpost24, a vulnerability management firm, said that the data breach was embarrassing for the university, as well as distressing for the students, who have found their confidential details exposed in such a public way.
"By reporting this breach to the ICO, and launching a full and immediate investigation into how it occurred in the first place, the university is clearly taking the right steps to remedy the situation", he said.
"However, you can't help but think that this is like locking the stable door after the horse has bolted", he added.
Vulnerabilities in websites, he went on to say, make it all too easy for hackers to tamper with the content – in this case, posting personal data on the student enquiry page of the university's public website.
"To stop this from happening, it is vital that organisations take a more proactive approach to their security by continually scanning for web vulnerabilities, which hackers find relatively easy to exploit", he explained.
Over at audit and compliance specialist LogRhythm, meanwhile, Ross Brewer, the firm's vice president, said that the constant stream of incidents like this gives the impression that organisation's IT departments are not up to the job.
LogRhythm's recent research, he says, found that 63% of UK residents were concerned that they may become a victim of identity theft through no fault of their own, whilst half believe neither public nor private sector organisations have sufficient security measures in place to adequately safeguard sensitive data.
"Not only are organisations failing to keep sensitive information secure, they are also botching the follow-up when breaches do occur", he said.
"In this instance, the University of York is reported to have left data exposed and accessible for over a week, only disabling the system after being alerted to the problem [on Wednesday] morning", he added.