A wayward email at the California State Polytechnic University in Pomona, California, was a learning moment for the university and its employees last week, as the incident triggered a sweeping re-evaluation of data sharing, encryption, and storage procedures.
University spokesman Tim Lynch told EdScoop that a spreadsheet containing personal information of all 4,557 students enrolled in CPP’s College of Science was accidentally attached to an academic advising email and sent out on Jan. 28 to the 940 computer science majors at the university. The leaked data included the name, address, academic standing, email addresses, school ID number, gender, ethnicity, and GPA of every College of Science student, Lynch said. Login credentials, dates of birth, and Social Security numbers were not exposed.
A computer science student who received the email brought it to the university’s attention, Lynch said, and CPP’s IT team was able to delete the email and remove it from recipients’ inboxes about 40 minutes after being sent.
Affected students were notified on Jan. 29. An email from university registrar Daniel A. Parks obtained by EdScoop reads: “Cal Poly Pomona is sending this letter to you as part of our commitment to maintain the privacy and security of our students’ information. We take this commitment very seriously and it is important to us that you are made fully aware of a recent event.”
The email then details the extent of the breach and the subsequent deletion process and goes on to say, “We seriously regret the inadvertent release of your personal information and are taking immediate measures to prevent this from happening in the future.”
Lynch said that the exposure of the students’ information was an honest mistake by a university employee and that the university is opting to keep that employee’s identity private.
“Unfortunately, it gets down to human error,” Lynch said. “It could have been anyone.”
Users from the university’s unofficial Reddit page who claimed to have received the email said it came from professor Daisy Tang, chair of the Computer Science Department.
Although the email has since been deleted, Lynch said there is no way to know how many people downloaded or copied the information before access was lost.
Several Reddit users claiming to be CPP students expressed concern and frustration with the incident, including concerns raised over possible violations of the Family Educational Rights and Privacy Act.
One Reddit user wrote, “It’s insane to think a spreadsheet with this much info is being passed around without any measure [of] security like encryption.”
“I’m not a [computer science] major,” wrote another user, “but shouldn’t this type of info be protected somehow?”
Lynch said that the university has safeguards in place to protect its systems and data, but new tools and procedures are being looked into. “Certainly we can do better,” he said.
The incident has triggered a comprehensive review of all university practices, Lynch said, including how information is shared, accessed, and secured.
Coincidentally, a new tool for academic advising services that would eliminate the need for group emails was developed shortly before the incident, but had not yet been implemented, Lynch said. He said the university is evaluating the software, called CPP Connect, and other ways to improve its data management and information security.
As for the culprit, Lynch said, “I can tell you right now, I’m highly confident that the person who feels worse of all … is the employee [who] hit the send key.”
He said the university does not have plans to punish the individual.
“We’re going to use this as a teachable moment,” he said. “Unfortunately, sometimes it takes a situation like this to surface the issues.”
As new safeguards are put into place, Lynch said, the university is going to focus on testing and training to ensure that new tools work properly and are used knowledgeably. School administrators are taking this situation very seriously, Lynch assured: “We are using this to develop better practices.”