Applicants to the University of Chicago Law School had their personal information exposed this month after a senior administrator sent a mass email with the sensitive data unknowingly attached, a university spokeswoman told EdScoop.
An attached spreadsheet included the names, contact information, academic data like GPA and test scores, and admissions decisions — with comments — of every applicant to U. Chicago’s Fall 2019 Master of Laws program. The information was attached to an email sent on March 1 to the 297 students who were admitted into the program. Several discussing the incident in an online forum say it was Richard Badger, the university’s associate dean, who sent the email.
“We have the highest respect for our applicants and their privacy, and deeply regret the error,” said Marielle Sainvilus, U. Chicago’s director of public affairs.
Sainvilus said the university took corrective action as soon as the mistake was discovered. “We notified everyone whose data was included in the spreadsheet to express our apologies and provide information about the data that was disclosed,” she said.
However, some applicants have been critical of the way the university has handled the situation.
According to one user of a Master of Laws discussion page, the school failed to notify those affected by the leak until three days after the incident.
“I was baffled that it took so long for the school to take an action, and that a short single email was all that the school can do,” the user wrote.
Illinois data breach notification law requires schools to notify individuals of a breach once it is known, but does not specify a time frame that this notification must occur within. Rather, it states, “the disclosure notification shall be made in the most expedient time possible and without unreasonable delay.”
Other affected applicants said they were also disappointed with the top-tier law school, pointing out how competitive the legal industry is and how harmful this data leak can potentially be to the future law professionals affected.
Sainvilus said those who received the data were instructed to delete the email and that the university is continuing to follow up with the few recipients who have yet to respond to that request. However, if the data has been downloaded from the email, the university can’t retrieve the information or stop it from being shared.
“We are currently looking into whether additional corrective action may need to be taken, and are examining our practices to try to ensure that this does not happen again,” Sainvilus said.