DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Ca: Thompson Rivers U. students and alumni notified that software bug exposed their info for 2.5 years

Posted on March 23, 2015 by Dissent

InfoNews.ca reports:

The private information of students and alumni at the local university could have been compromised sometime within the last three years because of a software bug that affected the institution’s online portal.

Students who used the online myTRU portal to access personal documents, including tuition payment options, received an email from Thompson Rivers University this weekend. The statement advised students their information, including financial records, faced what university representatives call a ‘small risk’ of being veiwed by another member.

“We have learned that a software bug in the myTRU portal introduced a small risk that private information could have been accidentally viewed by another member of the TRU community between October 2012 and March 16, 2015. There is no indication that there has been any misuse of this information,” the statement said.

Read more on InfoNews.ca.  The notice on TRU’s site, linked discreetly as “privacy concern”  says:

TRU has learned that a software bug in the myTRU portal introduced a small risk that private information could have been accidentally viewed by another member of the TRU community between October 2012 and March 16, 2015. There is no indication that there has been any misuse of this information.

A software bug in the myTRU portal self-service password re-set function has been confirmed and the feature has been disabled. When two individuals were attempting to reset their myTRU passwords at exactly the same time, one of those individuals sometimes gained one time access to the other’s portal. That access ended once they terminated their session in the browser or logged off. This means that only the people who have reset their password using the automatic feature would have had the possibility of being affected.

We have received no indication whatsoever that an unauthorized individual has misused any information and we have reported the incident to the Office of the Information and Privacy Commissioner (OIPC). The incident has been reported because personal records are involved, and because the OIPC provides useful advice in these situations. The TRU President has also been notified in accordance with s.30.5 of the Freedom of Information and Protection of Privacy Act.

Because of the nature of the bug, (it would have occurred rarely and for only a limited duration each time) we believe only a very small number of individuals have been affected, the risk to those affected individuals being very low. This, combined with the fact that it was restricted to internal users gaining temporary access on an accidental basis, limits the likelihood that the information exposed was used maliciously.

As a precaution however, we recommend that those that may have been affected review their financial information and bank transactions. If they notice any errors or irregularities contact they should contact their financial institution and TRU’s Privacy Office at 250-828-5012 right away. For other questions or concerns one can contact the TRU Privacy Office by email at [email protected] or by phone at 250-828-5012.

In response to this situation, TRU has taken immediate steps to ensure the privacy of our stakeholders are protected:

  1. The Office of the Information and Privacy Commissioner was notified of this breach.
  2. To eliminate any further risk, the myTRU Automatic Password Re-set feature has been disabled and will remain offline until we have assurances from the vendor that they have repaired the bug and verified the feature’s security extensively.
  3. This notice has been sent to all of those individuals who could have been affected
  4. TRU’s privacy and security practices will be reviewed.
  5. TRU is currently working on the implementation of a new method of authentication for the myTRU portal and other systems. We expect to be able to have this new method in place by September.
  6. The vendor will be releasing a new Portal solution to all its clients sometime in 2016. As soon as the new portal is available, we plan to start work on migrating our portal functionality to the new and improved portal.

We are keenly aware of the importance of personal information and we understand that this may be an inconvenience and a concern. Be assured that student, staff and faculty privacy is of the highest priority at Thompson Rivers University. We sincerely apologize and regret that this situation has occurred.

Further information about TRU’s policies and procedures on privacy protection can be found at www.tru.ca/disclaimer/privacy.html, www.tru.ca/its/infosecurity, and www.tru.ca/secretariat/secretariat_foipop.html .

 

Category: Education SectorExposureNon-U.S.

Post navigation

← Third US Health Entity Suspected of being Compromised
Twitch Security Breach Reported, Password Change Required →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.