DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Ca: Thompson Rivers U. students and alumni notified that software bug exposed their info for 2.5 years

Posted on March 23, 2015 by Dissent

InfoNews.ca reports:

The private information of students and alumni at the local university could have been compromised sometime within the last three years because of a software bug that affected the institution’s online portal.

Students who used the online myTRU portal to access personal documents, including tuition payment options, received an email from Thompson Rivers University this weekend. The statement advised students their information, including financial records, faced what university representatives call a ‘small risk’ of being veiwed by another member.

“We have learned that a software bug in the myTRU portal introduced a small risk that private information could have been accidentally viewed by another member of the TRU community between October 2012 and March 16, 2015. There is no indication that there has been any misuse of this information,” the statement said.

Read more on InfoNews.ca.  The notice on TRU’s site, linked discreetly as “privacy concern”  says:

TRU has learned that a software bug in the myTRU portal introduced a small risk that private information could have been accidentally viewed by another member of the TRU community between October 2012 and March 16, 2015. There is no indication that there has been any misuse of this information.

A software bug in the myTRU portal self-service password re-set function has been confirmed and the feature has been disabled. When two individuals were attempting to reset their myTRU passwords at exactly the same time, one of those individuals sometimes gained one time access to the other’s portal. That access ended once they terminated their session in the browser or logged off. This means that only the people who have reset their password using the automatic feature would have had the possibility of being affected.

We have received no indication whatsoever that an unauthorized individual has misused any information and we have reported the incident to the Office of the Information and Privacy Commissioner (OIPC). The incident has been reported because personal records are involved, and because the OIPC provides useful advice in these situations. The TRU President has also been notified in accordance with s.30.5 of the Freedom of Information and Protection of Privacy Act.

Because of the nature of the bug, (it would have occurred rarely and for only a limited duration each time) we believe only a very small number of individuals have been affected, the risk to those affected individuals being very low. This, combined with the fact that it was restricted to internal users gaining temporary access on an accidental basis, limits the likelihood that the information exposed was used maliciously.

As a precaution however, we recommend that those that may have been affected review their financial information and bank transactions. If they notice any errors or irregularities contact they should contact their financial institution and TRU’s Privacy Office at 250-828-5012 right away. For other questions or concerns one can contact the TRU Privacy Office by email at [email protected] or by phone at 250-828-5012.

In response to this situation, TRU has taken immediate steps to ensure the privacy of our stakeholders are protected:

  1. The Office of the Information and Privacy Commissioner was notified of this breach.
  2. To eliminate any further risk, the myTRU Automatic Password Re-set feature has been disabled and will remain offline until we have assurances from the vendor that they have repaired the bug and verified the feature’s security extensively.
  3. This notice has been sent to all of those individuals who could have been affected
  4. TRU’s privacy and security practices will be reviewed.
  5. TRU is currently working on the implementation of a new method of authentication for the myTRU portal and other systems. We expect to be able to have this new method in place by September.
  6. The vendor will be releasing a new Portal solution to all its clients sometime in 2016. As soon as the new portal is available, we plan to start work on migrating our portal functionality to the new and improved portal.

We are keenly aware of the importance of personal information and we understand that this may be an inconvenience and a concern. Be assured that student, staff and faculty privacy is of the highest priority at Thompson Rivers University. We sincerely apologize and regret that this situation has occurred.

Further information about TRU’s policies and procedures on privacy protection can be found at www.tru.ca/disclaimer/privacy.html, www.tru.ca/its/infosecurity, and www.tru.ca/secretariat/secretariat_foipop.html .

 

No related posts.

Category: Education SectorExposureNon-U.S.

Post navigation

← Third US Health Entity Suspected of being Compromised
Twitch Security Breach Reported, Password Change Required →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.