Hundreds of students have personal emails exposed in data breach at University of Limerick | Business Post
Hundreds of students have personal emails exposed in data breach at University of Limerick
UL has notified the Data Protection Commission about the issue and apologised to impacted students
DONAL MACNAMEE
OCTOBER 5, 2022
UL: the university said it had put in place new processes for communicating with CAO applicants following the data breach
Hundreds of people had their personal email addresses exposed in a significant data breach at the University of Limerick (UL), the Business Post has learned.
The incident, which took place in August, impacted Central Applications Office (CAO) applicants considering studying at the university, and has been referred to the Data Protection Commission (DPC).
It’s understood that nearly 1,000 students were impacted by the breach, which occurred when UL was emailing would-be students about elective options for their courses.
Rather than using the “bcc field”, which hides email addresses, the email was sent with applicants’ personal emails in the “to” field. Ths meant that every address was visible to every recipient of the message.
Those who received the email were asked to delete it and the communication was re-sent using the bcc function, UL said.
The university said it had apologised to impacted students, noting that the breach was the result of “human error”, and only email addresses were exposed.
A spokesman said the university had put in place new processes to deal with CAO applicants following the issue, and that the data regulator had been notified.
“It is regrettable that this data breach occurred, and appropriate measures have been taken to prevent recurrence,” he said.
The CAO declined to comment on the data breach, but it is understood that all Irish universities were notified in line with its data policies.
Graham Doyle, deputy commissioner at the Data Protection Commission, said it agency had graded the breach as “low risk”.
“UL confirmed that they would engage with staff over this issue,” he said, noting that the file was now closed on the issue.
In September, the Business Post reported that the personal details of more than 45,000 individuals had been exposed as part of a separate data breach at the Higher Education Authority (HEA).
The authority disabled a feature on its website that allowed employers to directly contact individuals who had taken part in Springboard courses.
It did so after it was contacted by the Data Protection Commission, which was alerted to the issue by the Business Post.
The feature allowed anyone to create a profile and register as an employer without verification. Once registered, access to personal details, including names, mobile phone numbers, email addresses and education courses taken by 45,720 individuals was immediately available to be viewed and downloaded.
While the feature was only recently introduced, the data on attendees of Springboard courses goes back to 2011. In addition, the details of a small number of people who have signed up for programmes but have yet to begin them, were also available to view.
UL has notified the Data Protection Commission about the issue and apologised to impacted students
DONAL MACNAMEE
OCTOBER 5, 2022
UL: the university said it had put in place new processes for communicating with CAO applicants following the data breach
Hundreds of people had their personal email addresses exposed in a significant data breach at the University of Limerick (UL), the Business Post has learned.
The incident, which took place in August, impacted Central Applications Office (CAO) applicants considering studying at the university, and has been referred to the Data Protection Commission (DPC).
It’s understood that nearly 1,000 students were impacted by the breach, which occurred when UL was emailing would-be students about elective options for their courses.
Rather than using the “bcc field”, which hides email addresses, the email was sent with applicants’ personal emails in the “to” field. Ths meant that every address was visible to every recipient of the message.
Those who received the email were asked to delete it and the communication was re-sent using the bcc function, UL said.
The university said it had apologised to impacted students, noting that the breach was the result of “human error”, and only email addresses were exposed.
A spokesman said the university had put in place new processes to deal with CAO applicants following the issue, and that the data regulator had been notified.
“It is regrettable that this data breach occurred, and appropriate measures have been taken to prevent recurrence,” he said.
The CAO declined to comment on the data breach, but it is understood that all Irish universities were notified in line with its data policies.
Graham Doyle, deputy commissioner at the Data Protection Commission, said it agency had graded the breach as “low risk”.
“UL confirmed that they would engage with staff over this issue,” he said, noting that the file was now closed on the issue.
In September, the Business Post reported that the personal details of more than 45,000 individuals had been exposed as part of a separate data breach at the Higher Education Authority (HEA).
The authority disabled a feature on its website that allowed employers to directly contact individuals who had taken part in Springboard courses.
It did so after it was contacted by the Data Protection Commission, which was alerted to the issue by the Business Post.
The feature allowed anyone to create a profile and register as an employer without verification. Once registered, access to personal details, including names, mobile phone numbers, email addresses and education courses taken by 45,720 individuals was immediately available to be viewed and downloaded.
While the feature was only recently introduced, the data on attendees of Springboard courses goes back to 2011. In addition, the details of a small number of people who have signed up for programmes but have yet to begin them, were also available to view.
