Personal email addresses of prospective students exposed in UL data breach

A MAJOR DATA BREACH at the University of Limerick (UL) led to hundreds of individuals having their personal email addresses exposed.

Central Applications Office (CAO) applicants were impacted by the incident which occurred in August and first came to light in the past week following a report by The Business Post. The matter has been referred to the Data Protection Commission (DPC) after a decision was made by UL’s Data Protection Officer.

Up to 1,000 students were impacted by the breach which happened when UL contacted potential students about elective modules at the college. The purpose of the email was to advise applicants to consider the options associated with their selected courses as they would need to decide about their elective/pathway if they secured a CAO offer for UL.

A spokesperson for UL told The Clare Echo, “Unfortunately, the email was sent with applicant email addresses in the ‘to’ rather than the ‘bcc’ field. This is contrary to UL policy and occurred because of human error. No other personal data was contained in the email”. The bcc field in an email allows you to send emails to multiple people without seeing who else it was sent to.

This error was “quickly discovered” with an email recall issued, another email was sent using the bcc function to the original recipients, apologising for the error and requesting them to delete the original email. Another email, the original one relation to the elective modules was re-sent to applicants using the bcc function.

UL also informed the CAO of the data breach and the steps taken to mitigate its impact. The CAO advised applicants affected that they could change the email address registered with the CAO if they wished.

“Since this incident, UL has reviewed its practices and has put in place a new process to communicate with applicants. The University is committed to safeguarding all personal data with which it is entrusted, and all UL staff are required to complete data protection training. It is regrettable that this data breach occurred, and appropriate measures have been taken to prevent recurrence,” the spokesperson added.