A software error that exposed the personal information of nearly 600 students at Ryerson University should have been resolved quicker and highlights the school’s lack of proper IT practices, according to independent technology analyst Carmi Levy.
The Toronto university learned of the serious software glitch – found in an application used by students to register for courses – after a student reported to faculty that the program was allowing him access to the names, address and social insurance numbers of fellow Ryerson students.
The issue was brought to the attention of the school’s registrar’s office in an e-mail sent on Dec. 27.
“Ryerson received it on Dec. 29, but were unable to speak to the student until after (the student) returned from holiday,” said Heather Driscoll, Ryerson’s information and privacy co-ordinator. “But based on the information the student had, it was not enough for Ryerson to identify the problem.”
That didn’t happen until two more students notified the school of the software error, Driscoll said. With more information to work on, Ryerson was able to identify the glitch and patch the problem.
“This is unacceptable,” said London, Ont.-based analyst Carmi Levy. “If the smoke alarm in your house went off, would you ignore it indefinitely because you couldn’t find evidence of smoke or fire? Most of us would meticulously search every nook and cranny of the house to ensure beyond a shadow of a doubt that it was a false alarm.”
In this case, Levy added, Ryerson ignored an alarm and went back to business as usual without adequately hunting for the source.
“The school allowed a known exposure of confidential data to continue because administrators were unwilling to invest the requisite time and resources into a thorough investigation,” he said. “Their lack of an effective, timely response significantly and unnecessarily raised the potential for real damages to arise as a result of this exposure.”
Although an investigation by the school is ongoing – with the university contracting the information and analysis group at Ernst & Young Canada to assist in the inquiry – Ryerson can confirm that the privacy breach occurred at some point between Nov. 17 and Jan. 9 and that the information of up to 588 students might have been exposed during the two month period.
On Nov. 17, Ryerson performed an upgrade to the student administration system, which was found responsible for the software glitch.
Levy said that if the software upgrade caused the privacy breach, it would indicate a serious lack of process regarding how Ryerson rolls out or implements new systems.
“In most cases, projects like this have very defined steps for rolling back to the previous version if serious problems are encountered following a go-live,” he said. “It’s quite surprising that such an error wasn’t discovered by the project team in the first place and was allowed to persist in the live environment for almost two weeks before it was finally resolved.”
Levy added that he was surprised Ryerson didn’t roll back to the previous system until they figured out the root of the cause. “There seems to be plenty of blame to go around, as this is what happens when immature IT processes are applied to complex systems implementations.”
News of this latest Ryerson privacy breach comes just a few months after a less technical privacy situation popped up last October.
Exam grades, payroll stubs, student numbers and other personal faculty information were found scattered in an unlocked school office. The confidential documents were left in boxes labeled “shred” in the deserted room.
Ryerson’s Driscoll said that both the October situation and the current software glitch were reported to the Information and Privacy Commissioner of Ontario. In the first instance, the IPC was satisfied with the university’s response to the breach and its notification methods.
Brian Beamish, the IPC’s assistant commissioner for access, said that it will work to ensure that Ryerson is doing the same in this case, but stopped short of saying that commissioner’s office would be putting out a public report on the matter.
“If we’re satisfied with where an institution is after the investigation, we wouldn’t put out a public report or make any recommendations,” he said.
When asked why Ryerson would even need to collect and store personal information such as SIN numbers, Beamish said that was still to be determined.
One issue for Ryerson to address, according to Levy, is to make it easier for students to report potential breaches in the future. In this incident, each of the three Ryerson students that filed complaints went through different avenues to do so.
“It’s all too common for stakeholders of any organization to have difficulty knowing who to contact for a given type of issue or emergency,” Levy said. “This is especially difficult in an academic setting, as students tend to be more transient than the average office worker, and are less likely to remember rigid administrative practices, much less follow them.”
This results in confusion and delay, he said, hardly the kind of thing that inspires confidence when private information is blowing in the wind. You want to ensure emergency calls get routed as quickly as possible and to the best people equipped to solve them, Levy added.
