New details have emerged concerning a “cybersecurity incident” affecting Algonquin College alumni in winter 2014.
Through an information request, it was revealed the college found a computer worm in a decommissioned server that could have revealed former students’ personal information. Upon investigation, it was determined there was no evidence that data was taken.
The social insurance numbers, names, addresses, visa statuses and other sensitive data belonging to students enrolled in specific years of the business information technology and nursing programs were vulnerable to being easily accessed. Algonquin jointly offered these programs with Carleton University and the University of Ottawa respectively. The affected years were confined to the 2004, 2008, 2009 and 2012 classes. The information was stored without encryption on the server where the malicious computer software was found. When sought for comment, the Algonquin Times was informed that Algonquin’s senior manager, information security and data privacy, Craig Delmage was unavailable.
The incident was discovered and reported to the Information and Privacy Commissioner of Ontario, which holds jurisdiction in privacy cases in public educational institutions, in May 2015. Letters informing students of the event were sent the following month.
“We worked with the college to determine how the breach occurred, the steps taken to contain it, the notification process and assistance provided for those involved, as well as steps taken to prevent a similar situation from happening again,” said IPC’s director of communication Rob McMahon in an email. “We were satisfied with the college’s response and have closed our file on the matter.”
The letter explains the data was stored, unencrypted, on the network, meaning a person could simply read the information. The college did confirm no health data or credit card information was accessed during the intrusion and subsequent investigations found no information was actually taken from the server.
“The potential was there, but there was no forensic evidence to show that it had been ‘extracted,’” said computer systems technology program coordinator Patrick Ouellette.
To combat against the risk that any revealed information could be used maliciously, affected students were offered complimentary identity theft protection from idAlerts Canada.
With the high-profile leak of the Avid Life Media’s Ashely Madison membership database this summer, the importance of keeping personal information safe and secure has become increasingly obvious.
Badly implemented cryptographic protections, randomized data that needs to be decoded to be readable, utilized by Avid Life Media have been broken into with surprising efficiency. Insufficient security combined with outside-the-box thinking has allowed researchers to reveal membership information, emails and passwords of the extramarital affair website.
Algonquin College offers resources to students to protect themselves from online privacy threats at www.algonquincollege.com/infosec.