179 files containing sensitive information about students’ funding sent to unintended recipients

On October 29, some students received e-mails from the University of Toronto enrollment services indicating that they were awarded funding through University of Toronto Advanced Planning for Students (UTAPS) only to find that they had also been sent 179 files containing sensitive information that was not theirs.

UTAPS grants are available to full-time students who are Canadian citizens, protected persons, or full-time residents.

Individuals who have already applied for government student loans through the Ontario Student Assistance Program (OSAP) are automatically considered for extra funds through UTAPS. Awards are granted based on individual need. 

The 179 files that were inadvertently distributed contained students’ names, street addresses, award amounts, student numbers, and faculties of study.

SAFE COMMUNICATION

The leak of student information immediately raised questions about the security of the university’s communication procedures. 

Talisa*, a first-year nursing student who received the e-mail, was shocked to discover the mistake. “I’ve never gotten UTAPS before and I was just thinking: ‘Do they usually send this out to everyone [at once]?’”

Talisa initially opened a number of attachments expecting to find her own, before she realized that she was invading fellow students’ privacy by doing so. “I could tell now how much someone needs money — that’s pretty confidential,” she said. 

When Talisa called Enrollment Services, she was disappointed to find that staff were unapologetic about the error and tensely asked her to delete the e-mail immediately. 

This same request was repeated to all students who received the initial email in an emailed apology from Donna Wall, director, Financial Aid and Awards in enrollment services later that day. 

Talisa expressed concern that details of the grants were sent out by email. “There should be something secure to log onto… rather than sending it in an email that is clearly more prone to these problems,” she said, citing the fact that OSAP operates this way. 

Talisa noted that the lapse in security was particularly surprising given the high standard usually afforded for student confidentiality on campus. “When you call the financial aid [office] at U of T…  they won’t even discuss financial issues with you over the phone because it’s not confidential enough,” she said. 

According to Richard Levin, executive director of enrollment services, the leak occurred due to a coding error in the program that matched the emails with the attachments. “We are reviewing our quality assurance mechanisms and will make whatever changes are required to prevent future occurrences,” Levin said. 

Levin maintained that the university responded to the privacy breach appropriately, by asking students to delete the emails without passing on any information contained in them. “The University takes the privacy of our students very seriously,” he said. “This is an accepted, sound privacy practice for this kind of occurrence.”

STUDENT REACTIONS

To some affected students, however, the situation has not been sufficiently addressed. 

Talisa said that some classmates are looking into taking legal action against the university in response to the error, but did not reveal their names. 

In the event of a lawsuit, she said she would be willing to support her friends. 

In 2013, lawyers in Windsor filed a $600-million class-action lawsuit on behalf of post-secondary students in Windsor and Essex County who took out OSAP loans between 2000 and 2006. The students’ privacy were compromised when federal employees misplaced hard drives containing sensitive personal information.

Talisa has not yet deleted the email in question. Talisa received a follow-up email on November 5 from Wall, asking her once again to delete the email. She has not yet responded. “[The] only reason I haven’t deleted it is to keep this evidence,” she said. 

“I think they haven’t done enough to address the issue. After all, not only is my personal information out there, but if I had someone I didn’t like on campus who also got UTAPS, they now know exactly where I live,” Talisa said. 

In the meantime, Talisa is still waiting for an adequate explanation and apology from the university. “They should at least have said… we are to blame for it. It won’t happen again,” she said.

*Name changed at student’s request.

Stay up to date. Sign up for our weekly newsletter, sent straight to your inbox:

* indicates required