Students’ personal information accidentally leaked by UW

Photo by Ryan Hueglin

Photo by Ryan Hueglin

56,000 student applicants to the University of Waterloo had their personal information inadvertently exposed as a result of a technology glitch discovered in mid-February.

Now, the university has some apologizing to do.

“We were very sorry that any applicant data was exposed,” said Nick Manning, director of media relations and issues management at UW. “Information security is a high priority for us.”

UW was informed by a prospective student on Feb. 18 that it was possible to view details from other students’ applications in their online student information system.

While the issue was discovered on Feb. 18, information had been open since Feb. 11. The university issued a mass e-mail to students on Feb. 21, explaining the incident.

According to Manning, due to an administrative error, a self-service option that should only be made available to staff had accidentally been turned on.

“Meaning that about 8,000 of our 56,000 applicants in the system were able to use the search function to look at other records,” Manning explained.

For each of those records, an existing applicant could potentially view as other applicants’ information, such which high school they attended, test scores and prior academic achievements.

However, according to Manning, no names were exposed in the glitch, only applicants’ ID numbers.

“All of the applicants could only be identified by their ID number,” Manning assured. “There was no financial, contact or health information potentially exposed.”

However for a number of graduate students applicants, the glitch potentially leaked the name, institution and e-mail address of their referees. As a result, an additional 8,000 referees who were in the system also had their information exposed.

Within 30 minutes of being notified of the glitch, Manning said the school’s information technology department fixed the issue. In addition, UW also put new oversight procedures in place to make sure that there are further checks made to any changes within the system.

The school will continue to monitor the online database to make sure that another incident does not occur.

They also contacted Ontario’s Information Privacy Commissioner, who issued an e-mail statement to The Cord explaining that they were “presently looking into the incident.”

The privacy lapse also affected applicants for joint programs affiliated with UW, including Wilfrid Laurier University and the University of Guelph.

Jessica Lalonde, a student at Laurier Brantford’s campus, had only just applied for the tri-university history master’s program when she received the news of a possible identity breech.

“I wasn’t even going to apply to the program initially and then I finally did and I was like ‘oh of course the second I apply to it something bad happens,’” she said. “They reassured me it was limited exposure and I think they did what they could.”

Lalonde said that the incident would not have an impact on her decision to accept admission.

Manning also noted that a majority of the applicants were generally co-operative and understanding.

“The vast majority of people who got back in touch with us were very grateful that they were informed and maybe wanted to know how their application was progressing,” he said.

According to Kevin Crowley, the assistant vice-president of communications, public affairs and marketing at Laurier, 126 graduate students at Laurier were affected by the data error.

“Both schools take the security of data very seriously,” he said.  “It’s unfortunate that it happened in this case, but I believe that UW acted as quickly as they could on it.”

Manning stressed that upon a thorough analysis of the database, no unusual activity occurred within the system over the period.

This means that there is no indicator that anyone viewed another student’s online profile.

“To the best of our knowledge we are confident that there was no unusual activity,” Manning said.

Leave a Reply