The University of Essex has been hit by a major data breach, with the release of sensitive data on more than 400 students.
A spreadsheet containing student IDs, dates of birth and contact details was “accidentally” attached to an email from a facilities management delivery partner on 23 March, requesting payment for repairs to a broken door on an accommodation block.
“We are taking this issue very seriously and ensuring our delivery partners understand our high expectations about the management of data,” said a university spokesperson.
University offers of “advice and support” notwithstanding, a number of students affected by the incident have contacted specialist data breach law firm, Hayes Connor.
“We are receiving enquiries in relation to a range of data breaches at present, but this is a particularly worrying one,” said Christine Sabino, the legal specialist at Hayes Connor representing those affected.
“The spreadsheet included on this email contained all kinds of crucial data on hundreds of people, so the seriousness of the issue should not be downplayed.”
The law firm said that it is continuing to receive new enquiries about the issue and is asking the university to provide fresh updates on the incident and outline how further issues will be prevented in the future.
In related news: New study reveals the most expensive academic data breaches
“We have seen how breaches of this kind can have a big impact on those affected,” added Sabino. “It should also be remembered that many of the individuals involved here are young adults living away from home for the first time. Some may be very worried about this or unsure what to do next.
“The individuals we have spoken to are desperate to know how this happened. They are also keen to understand what is being done to prevent more issues in the future.
“When individuals provide data to organisations of any kind, they trust that the information will be handled in a secure and proper manner. Issues like this only serve to undermine that trust, so we are determined to help our clients get the answers they deserve.”
Regular security and compliance training may not be enough to prevent such incidents happening in the future, according to Steven Wood, director of information management software developers, OpenText.
“There’s no guarantee that every employee or contractor is always following well thought out policy,” he said.
Instead, he recommended the use of data loss prevention technology, able to detect various forms of unstructured and sensitive data in real-time.
“By combining a data loss prevention policy with email encryption, organisations can mitigate against employee mistakes and avoid unnecessary breaches,” added Wood.