University of East Anglia under fire for leaking sensitive and confidential data about students

The University of East Anglia has been hit with anger and disappointment from students and the general public after it was revealed that a member of staff made a horrific error in sending out a spreadsheet listing named students’ extenuating circumstances.

The spreadsheet identified the 40 students by name and student ID number and had their private and confidential information with their names. The list of circumstances included things like family illness and bereavements; mental health problems including depression; and sexual assault cases.

We have already been contacted for advice and we’re investigating the issues.

The sensitive information is provided by the students themselves usually to explain why they need an extension for coursework or postpone their studies, and the spreadsheet was sent in error to 320 students studying American Studies.

The list of confidential information concerned students studying Art, Media and American Studies. This meant that the students who received the email could be classmates or known to those listed on the spreadsheet.

After the mistake was made, a follow up email was quickly sent asking recipients not to view the list, saying:

“You may have erroneously received an email with a spreadsheet attachment. Could you please delete this without opening/reading. Thank-you very much.”

Urgent inquiry underway

An “urgent inquiry” has been launched by the University of East Anglia but it’s likely to find that the serious data breach was a product of nothing more than a simple administrative error.

Sensitive and private information such as the data on this leaked spreadsheet needs to be looked after with great care. Access should be limited to only those who have both authorisation and reason to enter into the file. Passwords and encryption can at least provide some sort of barrier to hinder any unauthorised access too. Even though a password protected spreadsheet may not be able to stop any self-respecting hacker, it could prevent the 320 students from being able to get in by just a simple click.

Anger and upset caused

The affected students are understandably furious and upset by the error. One student said she “felt sick at seeing my personal situation written in a spreadsheet, and then seemingly sent to everyone on my course. My situation was not the worst on there but there are some on there that are so personal. There are people I know and I feel so awful for them and can’t imagine how they are feeling”.

Other students who were unaffected are also outraged by the incident, taking to twitter to blast the University’s way of handling the breach. UEA’s twitter statement said that the university “apologises unreservedly for email sent in error to 320 American Studies students. Affected students can call 01603 592761 for support”.

As one user put it simply and yet accurately: “This isn’t good enough”.

Anger from the Student Union

The Student Union body have not held back in their anger over the University’s mistake and efforts to rectify the situation. The Union’s Education Officer, Theo Antoniou Phillips, labelled it as “shocking and utterly unacceptable” and one that “never should have happened”.

The Welfare, Community and Diversity Officer slammed the incident as “a real slap in the face to students who have sought support”. As an education institution previously committed to improving mental health support, the data breach is sure to take them back a few steps.

The Information Commissioner’s Office is most likely to begin investigations into the incident, if they haven’t done so already. The ICO are not afraid to action any number of legal sanctions available at their disposal when faced with a data breach like this; especially when it is entirely preventable.

Several mainstream apps pay $5.3 million settlement for illegally accessing iOS users’ contacts list

Yahoo’s CISO responds to data breach questions