InfoNews.ca reports:
The private information of students and alumni at the local university could have been compromised sometime within the last three years because of a software bug that affected the institution’s online portal.
Students who used the online myTRU portal to access personal documents, including tuition payment options, received an email from Thompson Rivers University this weekend. The statement advised students their information, including financial records, faced what university representatives call a ‘small risk’ of being veiwed by another member.
“We have learned that a software bug in the myTRU portal introduced a small risk that private information could have been accidentally viewed by another member of the TRU community between October 2012 and March 16, 2015. There is no indication that there has been any misuse of this information,” the statement said.
Read more on InfoNews.ca. The notice on TRU’s site, linked discreetly as “privacy concern” says:
TRU has learned that a software bug in the myTRU portal introduced a small risk that private information could have been accidentally viewed by another member of the TRU community between October 2012 and March 16, 2015. There is no indication that there has been any misuse of this information.
A software bug in the myTRU portal self-service password re-set function has been confirmed and the feature has been disabled. When two individuals were attempting to reset their myTRU passwords at exactly the same time, one of those individuals sometimes gained one time access to the other’s portal. That access ended once they terminated their session in the browser or logged off. This means that only the people who have reset their password using the automatic feature would have had the possibility of being affected.
We have received no indication whatsoever that an unauthorized individual has misused any information and we have reported the incident to the Office of the Information and Privacy Commissioner (OIPC). The incident has been reported because personal records are involved, and because the OIPC provides useful advice in these situations. The TRU President has also been notified in accordance with s.30.5 of the Freedom of Information and Protection of Privacy Act.
Because of the nature of the bug, (it would have occurred rarely and for only a limited duration each time) we believe only a very small number of individuals have been affected, the risk to those affected individuals being very low. This, combined with the fact that it was restricted to internal users gaining temporary access on an accidental basis, limits the likelihood that the information exposed was used maliciously.
As a precaution however, we recommend that those that may have been affected review their financial information and bank transactions. If they notice any errors or irregularities contact they should contact their financial institution and TRU’s Privacy Office at 250-828-5012 right away. For other questions or concerns one can contact the TRU Privacy Office by email at [email protected] or by phone at 250-828-5012.
In response to this situation, TRU has taken immediate steps to ensure the privacy of our stakeholders are protected:
- The Office of the Information and Privacy Commissioner was notified of this breach.
- To eliminate any further risk, the myTRU Automatic Password Re-set feature has been disabled and will remain offline until we have assurances from the vendor that they have repaired the bug and verified the feature’s security extensively.
- This notice has been sent to all of those individuals who could have been affected
- TRU’s privacy and security practices will be reviewed.
- TRU is currently working on the implementation of a new method of authentication for the myTRU portal and other systems. We expect to be able to have this new method in place by September.
- The vendor will be releasing a new Portal solution to all its clients sometime in 2016. As soon as the new portal is available, we plan to start work on migrating our portal functionality to the new and improved portal.
We are keenly aware of the importance of personal information and we understand that this may be an inconvenience and a concern. Be assured that student, staff and faculty privacy is of the highest priority at Thompson Rivers University. We sincerely apologize and regret that this situation has occurred.
Further information about TRU’s policies and procedures on privacy protection can be found at www.tru.ca/disclaimer/privacy.html, www.tru.ca/its/infosecurity, and www.tru.ca/secretariat/secretariat_foipop.html .