Simon Fraser University has compromised personal information contained in more than 100,000 requests sent to its IT services department over the last three years.
On Jan. 27, SFU IT services inadvertently copied incidents, inquiries and requests it had received between 2013 and 2016 onto a server with an unprotected database during a transition to a new system, communications director Kurt Heinrich told the NOW.
The exposed database was discovered on May 16 and taken offline on May 17.
It contained 20,294 email addresses, personal contact information and other personal information about students, staff and faculty, depending on the nature of the IT incident, inquiry or request they sent.
While the information was exposed for nearly four months, however, Heinrich said the university has seen no evidence it was accessed by an outside party.
“The database was simply left unprotected,” he said. “We have no evidence that any third party accessed the database during the time it was unprotected, nor do we have any evidence that there was any misuse of the information contained in the database. Criminal conduct is not suspected at this time.”
To be on the safe side, the university has put one-year privacy breach holds on the accounts of 8,347 current and former students since unauthorized individuals could use information gleaned from the unprotected database to request documents in students’ names.
Affected students were alerted to the breach via email on June 3.
Students with holds on their accounts now have to order documents (transcripts or letters confirming enrollment or degree completion) in person or request to have the hold temporarily or permanently removed.
The university is also recommending affected students, staff and faculty closely monitor personal accounts and memberships of all kinds over the next several months.
Heinrich stressed privacy breaches of this kind are very rare and that the university is investigating the cause and extent of the breach to see if additional actions need to be taken.
“We are also reviewing and changing, as appropriate, physical, procedural and technical security measures as well as internal operating policies to ensure this sort of incident doesn't happen again,” he said.
Moving forward, he said, the university will also form a “change advisory board,” to improve procedures for detecting unprotected databases and initiating an external audit of information security at the university.
