UPEI privacy breach leaks personal data of 700 people
Krystalle Ramlakhan | CBC News | Posted: April 18, 2016 8:00 PM | Last Updated: April 18, 2016
University says information was up for two weeks, but only two people accessed the site
About 700 people who sought summer accommodations through the University of Prince Edward Island website had their personal information leaked in a privacy breach last month.
Personal information from submissions dating back to October 2014 were posted to a upei.ca web page, and could be found through a general web search.
According to the university, the form data included (depending on the submission):
- First and last name
- Gender
- Mailing address (street address, city, province or state, and postal code)
- Telephone number
- Email address
- Reason for reservation
- Arrival and departure dates
- Number of room occupants
- Type of requested accommodation
- Length of requested stay
Financial or credit card information was never published.
The information was available to the public online for 15 days.
The university's records show the information was only accessed twice from March 15 to March 30 said UPEI spokesperson Dave Atkinson.
"UPEI takes people's personal information very seriously which is why the moment that we discovered that there was any information out there that was published from the university we took care of it immediately," said Atkinson.
How the breach happened
According the university, someone filling out the form put in a request to the university's web team to see what had been submitted so far. The team adjusted some settings to allow that person to see what had been submitted.
"Unfortunately they adjusted the settings just a little bit too far temporarily making other people's information available," said Atkinson.
The university's "review did not reveal any real risk of significant harm" according to an email sent to all those affected.
In the email the university wrote it was informing people because it wanted to ensure they were aware of the event so those affected could monitor their data accordingly.
Atkinson said UPEI found out about the information breach because someone was searching their own name and that keyword revealed the list of information. He said the web team immediately identified the cause of the error and closed the results of the form on March 30.
UPEI believes the two people who accessed the information were that person who found it initially and the web team who took the information offline.
"It was not a very easily found piece of information on Google. So but that concerned the person immediately obviously ... and as soon as we found out we immediately shut that security breach down and made sure, did our investigations to see how it happened and what we could do to prevent it from happening again," said Atkinson.
Thorough review by UPEI
UPEI has also reviewed all other data collection forms within the upei.ca infrastructure and found all sharing settings are correct.
"It won't happen again ... Any time that any sort of request for information of this type come in, it will be handled with in a different way so that that is not ever exposed again," said Atkinson.
The university has apologized for the unintentional publication of people's submission data.