Brit uni blabs students' confidential information to 298 undergrads The University of East Anglia has sent almost 300 undergraduates an email detailing other students' extenuating circumstances. The information was in an Excel spreadsheet attached to an email that ended up being sent to every undergraduates enrolled at the American Studies school through an email-all address. It included 42 …
Outlook isn't to blame, users are. We've had this happens plenty of times with recently trained staff using web based e-mail systems.
What's started working for us it making the person who made the mess clean it up, having them SPEAK to the people affected as well as write to them. Other staff became more concerned when they realised they might have to go face to face with the person they'd leaked sensitive information about.
Outlook may indeed have a recall option, but that can only work for email sent to a recipient on the same mail network (ie an office colleague).
As soon as your email leaves the domain it was sent to go to another one, your recall option dies.
Edit: aaaand a FuzzyWuzzy beat me to the punch. Well done !
The "recall" option only works for the recipients on the same Exchange tenant though.
The only way to make this kind of dumbass attack not happen is clear separationof concern in the office. You deal with the mental health spreadsheet, you physically go to another laptop in the office. And no sneakernet.
We sadly read:
Given the university is supposed to be making mental health a priority
Only in the ago of diversity and social justice. Previously, the university was supposed to make teaching & research a priority.
We sadly read:Given the university is supposed to be making mental health a priority
Only in the ago of diversity and social justice. Previously, the university was supposed to make teaching & research a priority.
Oh dear. Someone who is unable to recognise that it is possible to entertain more than one priority, possibly even ranking them in conditions where they might conflict.
In your world, I expect someone with mental health issues is told 'Pull yourself together, man!' and that's the end of it. After all what do a few suicides matter once the university has already got their fees? And it's not like the late teens and early twenties are common ages when diseases like schizophrenia first manifest, is it?
Maybe you'll have to wait until someone in your family dies before you start to wish that everyone had shown a little more awareness a little sooner.
>'A' priority, not 'THE' priority.
Which would correctly tell you absolutely nothing. It is a priority, just slightly lower in ranking than cleaning my toenails.
Forget banning Outlook, ban "Excel as a database".
Ok, that's harsh. We just need Excel with a data store which isn't a file. Then at least you can keep hold of the access control even after the mail is sent.
I was tempted to use the "c" word, but we probably don't need that kind of language around here!
Mushroom c....
A bit of DLP would be nice too. If you ditched the proprietary formats it would be even easier and cheaper to implement....
"The "recall" option only works for the recipients on the same Exchange tenant though."
Sadly even that isn't true, at least up to Exchange 2013, not used 2016 yet. Recall with Outlook/Exchange requires that the recipient of the recall be using the Outlook client as well, if they're using OWA or connecting via IMAP they'll simply get and email saying "User <insert name here> would like to recall this message", it's only a running Outlook client that which actually process this and remove the message from the inbox. Or at least that's what uses to happen last time I looked into it, maybe it's been patched since?
"The "recall" option only works for the recipients on the same Exchange tenant though."
Thing is, in this case they probably are. Most universities will just issue students an email account on their own infrastructure rather than sending email out to personal addresses.
Of course, it's a bit late by then anyway.
You have no idea (or maybe you do) how mind rippingly annoying it is to carefully craft a web-app front end to an encrypted database designed to keep all this kind of information safe only to be asked (1) to code an excel download option and (2) see those data appearing unencrypted in spreadsheets on the shared folders.
Unfortunately, I know exactly how annoying it is. It's something I've done more times than I care to recall. I have a thankfully now long-past history churning out Spring CRUD apps for enterprises of all sorts.
If organisations don't start learning to say No to these kinds of requests they're going to get hammered by GDPR when they inevitably fuck up. They've got HR platforms, they've got ERP and CRM platforms. Those bits of software are all more than capable of sending emails securely from a vetted workflow.
There's no excuse. This isn't some piddling SMB we're talking about. This is a university with 4,000 staff, 16,000 students and an annual budget of £250m.
Those bits of software are all more than capable of sending emails securely from a vetted workflow.
ERP systems are often a pile of cack for anything non-standard, but your point extends to the fact that they (apparently) didn't even have the file encrypted and protected. Admittedly that's a weak last line of defence, because busting an Excel password isn't that hard, but at least most people couldn't do it, or wouldn't bother.
They deserve to be taken to the cleaners for this.
Have to agree that many organisations operate a monolithic structure where the ERP systems aren't flexible enough to do the job, but they're so insular and unmodifiable that for a rough and dirty report on, say, pay by gender, or pay by disability or amount of paternal leave taken, or percentage of students requiring special measures for exams, that it's often quicker, easier and within the DIY reach of a member of support staff to take the data through Excel to get the result.
So often I get asked, "How quickly can you get a breakdown of historic research income by quarter separated by the gender ratio within the lab and gender of the lead investigator?" that when I reply "Two days, including testing, once I've finished this epic piece of coding I'll get straight onto it for you." I get "I could do that in Excel in, like, an hour".
So often I get asked, "How quickly can you get a breakdown of historic research income by quarter separated by the gender ratio within the lab and gender of the lead investigator?" that when I reply "Two days, including testing, once I've finished this epic piece of coding I'll get straight onto it for you." I get "I could do that in Excel in, like, an hour".
It depends on how well you know your way round the schema. If all they want is a one-off you should be able to do it from a good SQL database in less time than Excel. It depends on your priorities and those you work with. They need to realise that if you're doing application coding and one-off queries.then the application coding is going to be delayed by a lot longer than the time you actually spend on the on-offs. However they might be OK with that.
With my toolset ($20K total per seat) I can beat the Excel time handily even if I have to import the schema. Really depends on the amount of marveling at WTF cruft within. Counterpoint, they won't have bought these tools for their devs. Which is why I get bizarre requests from the odd establishment now and again.
Maybe encrypt the spreadsheet/document with sensitive content using a specific key pair before sending it as an attachment? At least the private key holder(s) could be identified and would only issue the public key to those that actually need it. It's not rocket science - it can be a pain, but not as painful as a breach like this.
Oh Christ on a bike! It's almost as bad as doing everything in Word or Excel, stored on Sharepoint.
I mean, why get people to complete the reams of paperwork required for a project specification as word documents which are then stored in a hierarchical folder based structure that varies around a core design depending on who the Project Administrator is? That administrator then has to copy the information from the word forms into PowerBi, which churns out an incomprehensible set of graphs and a pile of hyperlinks to other word documents. It's bizarre and archaic! But it's the latest thing. Apparently. Working stupid is the latest thing. Amazing.
If the university had done the sensible thing -- saying that a serious error had been made, explaining that the enclosure contained personal data about other students, suggesting that recipients should respect privacy -- the email would have been worthwhile.
Don't send a message which might encourage inquisitiveness.
Where there are email lists and confidential attachments available at the same time these things will happen.
Since email software can identify key words and ask "did you want to attach something", at the very least, in 2017, it's shocking that there is no automatic message saying "This is an email list. Are you sure you want to send <attachment name> to everyone on this list?"
If you use Outlook you can set that up using a mail rule with the "defer delivery" action. Messages will sit in your outbox for the configured period before actually being sent.
There's probably a good case for organisations to set up such a rule globally through group policy. It would be easy enough to make it conditional so that messages with the "urgent" flag don't get delayed.
Er, no?
Convenience and email shouldn't just meet, they should fall in love, get married and have a horde of kids. Removing this convenience would make even simple tasks, like keeping the team in CC and not forgetting anybody much more of a hassle so people wouldn't do it if they could get away with it which leads to fewer people being informed about relevant stuff which leads to confusion.
Emails to the whole company about the office party? Congratulations. You just made the poor sod writing the email have to type 100+ names instead of using the staff distribution list.
Edit: Oh bugger, this was meant as a reply to the first AC post
The WTF for me is the fact that they're storing highly confidential information in a spreadsheet. And a non-protected one at that.
This stuff should be stored very carefully, so that it cannot ever be accidentally sent to lots of people in a readable form.
The fact that email is the messaging medium is pretty irrelevant, its the data storage that's the problem here.
This is commonplace in all aspects of education, I've been working in a college for over 10 years and it all comes down to money.
We have a student DB, but it's unwieldy, slow and crap. To get any changes made to it, you have to get the developer in to do a analysis, then the design, then the development, etc before it can be finally added and used.
The admin staff know how to use Excel, filters and search. The DB, rubbish as it is allows exports so why not export student lists and create your own small list of students extenuating circumstances. And everything needs to be done yesterday so shortcuts always win
"We have a student DB, but it's unwieldy, slow and crap. To get any changes made to it, you have to get the developer in to do a analysis, then the design, then the development, etc before it can be finally added and used."
I wonder why anybody does analysis and design. Could it be to try to prevent this sort of thing?
By letting - yes, there's an element of permission there, even if only be default - short-cuts to be taken your student DB is prevented from being improved. And so your management paints itself further into a corner so that, assuming you're in Europe, one day you find that you didn't really save money, all you did was postpone it until it was drained away in a big fine.
Yep, I'm UK.
The DB does what management want, allows them to pull completion reports, results, stats and figures which are all sorts of mixtures of RAG colours but it's rubbish for teaching and support staff.
Talking about saving money, my senior managers have lots of cash for constant moving around of departments and the associated building works that come with it, 4 years in a row I've had to move offices
"Talking about saving money, my senior managers have lots of cash for constant moving around of departments and the associated building works that come with it, 4 years in a row I've had to move offices."
Just moving around? Real managers would have had at least 3 reorganisations in that time?
"The WTF for me is the fact that they're storing highly confidential information in a spreadsheet. And a non-protected one at that."
Most likely, the data was extracted from several databases and merged into a spreadsheet for an internal meeting. The spreadsheet would have been stored on an internal share protected by Windows ACLs. It would have been protected by ACLs but somebody with access attached it to an email.
Perhaps there is something wrong with system storage and OS design. If a user wishes to send or copy a document which resides in a special storage area, shouldn't the system protect the user from mistakes?
Who's seen a scenario like this before:
1. Company invests in a system where its staff have to login to access certain data. The point being, anyone who should be able to access the data has access to the system, and nobody else.
2. Someone (who may or may not have access to the system) requests some data.
3. Someone - with access - exports data, and emails it to 2.
4. You've completely negated the point of 1.
Unfortunately people will always choose "convenience" over policy, or what's right. Until they personally get in trouble. But you know, they rarely do. And so it continues.
And as for all that "this email is confidential so don't open it if it's not really for you" bullshit at the bottom. Yeah, good luck with that. That's a bit like saying if you find my PIN number written on the back of my card, please don't type it into an ATM. Too late at that point I'm afraid.
It should be :
3. Someone with access evaluates the legitimacy of the demand, seeks approval to gather the information and, only if approved, collates it and sends the data to (2)
The problem is not being able to send the data - the problem is the usual lack of attention to context and detail that makes this kind of mistake possible.
And no software, nor any amount of messagebox questions, will ever be able to circumvent the problem.
"The problem is not being able to send the data - the problem is the usual lack of attention to context and detail that makes this kind of mistake possible."
True. But it largely comes down to convenience for either the sender or recipient. Imagine if the recipient was sent a link to the secure system and they didn't have a login. They reply to the sender telling them they can't access it. Even if the sender can set them a login up, the sender doesn't want to deal with that "problem". So they just send the data in a format they know the recipient can open with no problem. In a similar way, people with legitimate access might say, oh I cba logging in to that, just send it me in something I can open directly. it happens ALL the time in business, trust me, I've seen it first hand in many different organisations - especially ones where it should not.
Even if people are aware of what they're doing is wrong or against protocol, they will still do it, because they don't want (short term) hassle - usually from the recipient(s).
"Even if people are aware of what they're doing is wrong or against protocol, they will still do it, because they don't want (short term) hassle - usually from the recipient(s)."
It's a matter of attitude. My last client before retiring took security very seriously because they provided secure services to clients. Irrespective of the inconvenience staff would observe secure protocols. As yet most businesses can get away without that. Gradually, as consequences get more serious and more widely realised things will improve. It'll just take bigger fines and more class actions before it happens.
The thing about taking time, doing things right etc is that every manager wants everyone to do that - except when it's something that they want done, now! and without making it difficult for themselves. Security, like chastity, is for other people.
- Poor data storage (spreadsheet for potentially medical information? No password? No encryption? Just one big spreadsheet for everyone? Hope it doesn't have macros neither!)
- Poor data management (people just picking the document up and attaching to emails, no control or confirmation of outgoing attachment, no data control intercepts to spot multiple personal information leaving the site, no limit control on emails going out to 290+ students with an attachment?)
- Poor permissions management (can just email out to groups of students with attachments? No having to post to internal services and link instead: "the document is available under your online account", etc.? )
And all for what? A spreadsheet of their reasons for failling exams. Why is that even a spreadsheet? Why is it not contained in the MIS? Why is it not in the privileged area of the MIS? What service requires you to generate a list of every students extenuating circumstances in one place in plain-text, and why would you keep that around past submission over a secure channel?
I'm guessing - based on working in schools for decades - that it's someone's pet project which they use and store separately because they can't work the MIS system, which they then email out to other people rather than them have to work out how to use the MIS. And they mis-hit and sent it to the group of affected students rather than the person they meant to inform of those students.
There's really no excuse, and it's sloppy data management in human terms, which is indicative of much larger problems in terms of handling data. The fact that someone could generate such a list from, presumably, confidential form returns is just damning. Either those returns should be electronic and straight into the database and thus this was a specific "pull out everyone with this field because I want to read them all in one go" action, or they were collating them from some other service or typing-in which shouldn't be done with confidential records.
I would expect fines on the order of 100's of thousands of pounds in such an instance. They are issued on that scale to schools and hospitals all the time, even if there's no proof that anyone else actually read them (e.g. missing encrypted CD's that you can't prove were encrypted in some cases).
And that's a whole lot more expensive than teaching Joan in the office not to do that, or replacing her entirely (now an option) and getting an MIS that handles this stuff in a way that mass-queries are held securely rather than can be Excelled out of the organisation.
This sounds like a process design fault, not just a opperational accident.
Accidents happen, so the bigger issue is of course, why is this sensitive information kept in a apparently locally stored spreadsheet with the need to share it on email (after which you loose all track of what any recepient does with it).
Even if you feel the need to use a spreadsheet for some sort of convenience, then still it should be stored in a central and protected location, and only the link shared. Then if the link accidently goes in a email to people who shouldn't have access to this information, they still can't get to it.
why is this sensitive information kept in a apparently locally stored spreadsheet
why is this sensitive information kept in a spreadsheet
TFTFY
Store data in a SECURE database, create a ODBC/JDBC link to the database, use that in Excel .... don't have link to the database ? Cannot read data .... still locally stored excel file everyone is used to ...
YET, why Excel ? Are they adding ailments, dividing by age, multiplying by date of birth or do they need pivot tables on this data ? Thought not ...
Stop using Excel for stuff it was not designed for.
I once - whilst working for a huge electronics retailer - received a presentation "designed" in Excel. I think they'd got some graphs they wanted to use, couldn't get them into Powerpoint, so moved all the text to Excel and just used one tab per page.
I then received, from the same person, a list of stores with phone numbers, addresses etc in a table - that they'd pasted into Word.
I contemplated writing my letter of resignation in Powerpoint to complete the trifecta.
interestingly expensive for them. Nice big fine from the ICO PLUS a fair chunk of the named students reaching for personal injury lawyers, given the kind of intimate situations usually claimed as extenuating circumstances...
(We had one such claim, back in the 90s, where the student stated the University had rendered them unable to complete their coursework owing to us restricting their IT access due to their taste for late-night viewing of inter-species relationship tutorials in the PC labs)
I sit on a university exceptional circumstances panel. We get some really sensitive items. Our spreadsheets don't contain student names, we use an ID number that we can identify but students (or the wider world) cannot.
I've dealt with a reply to all mailing list user error. Personally I think it was compounded by telling students not to read it and delete the email. What better way of making an otherwise dull email rather fascinating?
Personally I think it was compounded by telling students not to read it and delete the email. What better way of making an otherwise dull email rather fascinating?
My thoughts exactly.
I would have thought of something along the lines of: "A previous email of ours contained a contaminated Excel spreadsheet. If you have opened it, please come to the IT department asap, your data is at risk. If you have not opened it, delete the email and the attachment."
Weird - when I was at UEA, it would have been way harder to do this using Elm for mail. Plus nobody would see it as none of the residences were networked so it was a trek to the library to use a computer.
Mind you, that was..... *counts fingers*.... *runs out of fingers* *runs out of toes too*. Shit, that was years ago. I should have probably found a proper job and started paying back my loan by now.
Actually, I do have a job. With a multinational telecoms company, who use Outlook. I don't know how they've screwed it up but every couple of weeks I get a spreadsheet meant for someone else, followed by a "User a.dickhead would like to recall message paydetails.xslx" so it's definitely not working here.
Was the wrong file attached to an email that was meant to be sent to all the mailing list, or more likely the email erroneously sent to the mailing list, probably as the result of auto-completion of the recipient address(es). It is not uncommon to select an address from the offered auto-completion list to then find that a mis-timed mouse movement has actually scrolled up/down to the next entry in the list.
Whilst you would expect staff handling such data to be extra careful, at this time of year those involved are extremely busy with very tight deadlines to get exams marked and those marks processed (including any adjustments for extenuating circumstances) ready for exam boards.
As has already been pointed out, whilst best practice would avoid the use of spreadsheets, the unwieldiness of university IT systems encourages such practices. Where I am we have 3 or 4 different systems tied to student records, exam and coursework marks and timetabling with all sorts of limitations, incompatibilities and synchronization issues . Whilst they are making efforts to update or replace legacy systems and produce a system that meets today's requirements it is a long slow process, not helped by the fact that those developing the new systems don't always appreciate that something that might work for a small department in humanities is completely impractical for a large science department.
For our system that acts as the main portal for student coursework, timetabling, marks and feedback half the academics don't have the default access rights that the system developers expect as they can't be trusted not to mess things up, whereas because the permissions system is so complex, rather than spend ages trying to establish which of the ~100 permissions were required to enable me to manage timetabling issues our student office just gave me full departmental administrator access.
From a security point of view that is completely inappropriate as it means I have full access to a load of confidential information that I have no need to access. From a personal point of view it is highly irritating as despite turning email notifications off, my mailbox gets inundated with messages about submissions, plagiarism checks and missed monitoring posts and exam mark uploads that are of no concern to me.
One little tick box would have solved the issue
In the send messages mail options "Use auto-complete list to suggest names when typing in the to, cc, and bcc lines." - untick this and users have to maually enter each address rather than jsut picking the top from the list, solves this and many accidental addressing issues.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
