Due to an administrative error, from Feb. 11–18, applicants to the University of Waterloo graduate studies programs were able to search and view other graduate applications as well as undergraduate applications in a database.
“An administrative error meant that a self-service option gave 8,000 graduate applicants at Waterloo the ability to see a search function that meant they could potentially look at a limited subset of application information for 56,000 prospective students,” said Nick Manning, director of media relations and issues management for UW.
During this time 4,000 of the potential 8,000 applicants logged into the server. To search the database, an applicant would have had to log in and log out after each individual search. According to Manning, there is no evidence on suspicious levels of logging in from any applicant in the system logs during the exposed time frame.
“We are extremely sorry that any applicant data was potentially exposed to any Waterloo applicants,” said Manning. “We take information security very seriously, and that’s why we took swift action to correct the error and also take action to make sure we’ve contacted people who were potentially affected as well as informing the Information and Privacy Office of Ontario.”
No health, financial, or contact information was available. Applicants’ names were also not included, but student ID numbers as well as their high school transcripts were available. Current student information was not included.
As soon as UW became aware of the error, the IT department disabled the search function in 30 minutes and new oversight procedures have been put in place to prevent the issue from arising in the future.
Emails have also been sent to all 56,000 applicants notifying them of the breach of privacy as well as the 18,000 people that graduate applicants had listed as references.
“If somebody had went into a graduate student application, they would have seen the name, institution, and email address of those referees,” said Manning. “It is important to note that those referees weren’t tied to a name. At no point was anybody identified by name.”
The Graduate Studies and Registrar’s Office have been fielding responses from concerned applicants, mostly answering questions regarding what information became visible and the potential of identity theft. Manning stressed that no information made available could have been used to steal someone’s identity nor was the breach part of a malicious attack on the university’s information systems. The error also bears no effect on whether the applicants will be accepted or not.
