The University of East Anglia mistakenly shared personal and sensitive details about certain students with hundreds of others via an e-mail.
The University later asked all recipients to delete the e-mail without opening or reading it and has launched an enquiry into the data breach.
“An email was mistakenly sent to 298 American Studies undergraduates this morning containing details of 42 students with extenuating circumstances. This clearly should not have happened and the university apologises unreservedly. The university has launched an urgent enquiry and is contacting all affected students to offer support,” said a University of East Anglia spokeswoman.
The spreadsheet shared by the university with 298 students included details of health problems, personal issues and family bereavements of as many as 42 students. These students had sought extensions and other academic concessions based on these circumstances.
The revelation has resulted in shock and disbelief among affected students whose personal details are now available for all to see. “I felt sick at seeing my personal situation written in a spreadsheet, and then seemingly sent to everyone on my course,” said Megan Baynes, a 23-year old student to BBC.
The UEA Students’ Union has termed the incident ‘a shocking and utterly unacceptable data breach that should never have happened.’
“A simple mistake like this can have distressing effects for those caught in the middle. That distress is likely to turn to anger and the University could face serious legal repercussions for its mistake,” said Thomas Fischer, Global Security Advocate at Digital Guardian.
“This incident reinforces the need for “data aware” security technologies in the education sector. This helps protect data at source, removing the risk factor associated with human error and insider threats. Had the University of East Anglia had such technologies in place, it could have prevented this highly sensitive student information from being sent without prior approval and prevented it from being opened by the recipients.
“Universities have a duty of care to their students and must better prioritise data protection so that mistakes like this don’t happen again,” he added.