The University of East Anglia has suffered its second serious data leak this year after personal details of a member of staff were sent to 300 postgraduate students.
The incident seems to have happened when an administrator accidentally used an email distribution list, sending the missive to research students in the social science faculty.
A second email was sent asking the recipient to respect the privacy of the individual in question, whose health details were revealed, and to treat it as confidential.
It added:
“This message was sent to you in error, and due to the sensitive nature of its contents, we have worked with colleagues in ITCS to remotely extract the message from all recipients’ accounts...
“The university’s data protection team are investigating this incident as a data breach, and we will look into how and why it occurred, and what can be done to ensure the mistake is not repeated.”
The incident, which occurred last Sunday, came just weeks after privacy watchdog the ICO ruled it would take no further action in a similar case which occurred in June.
Back then, a university staff member accidentally shared highly sensitive details on 40 undergraduate students given essay extensions to over 300 American Studies students.
The spreadsheet in question apparently contained information including students’ suicidal thoughts and recently deceased relatives. It was also sent in error due to the use of distribution lists.
An associate tutor at the university told the Norwich Evening News that the data protection training introduced after the previous breach consisted of a mere eight question multi-choice quiz.
“It’s ridiculous and they haven’t learned the lessons of the previous breach,” they said. “The ICO decision was rubbish, and it’s happened again, not even a few months later.”
Thomas Fischer, global security advocate at Digital Guardian, said the incident heightens the need to “data aware” security technologies in the education sector.
“This would help protect data at source, removing the risk factor associated with human error and insider threats. Had the University of East Anglia had such technologies in place, it could have prevented highly sensitive information from being sent without prior approval and prevented it from being opened by the recipients,” he added. “Universities have a duty of care to their staff and students so must better prioritize data protection so that mistakes like this don’t happen again."
Adenike Cosgrove, EMEA cybersecurity specialist at Proofpoint, argued that breaches are fundamentally a governance issue.
“Organizations must combine information security with data governance programs that identify, classify and protect critical and sensitive data assets,” she added. “Technologies like encryption and Data Loss Prevention (DLP) provide automated controls that protect the processing and storage of confidential information. Only by leveraging technology controls, can the likelihood of data exposure be reduced.”
Human error is by far the number one cause of incidents reported to the ICO, according to FOI request data.