Late last month, Manitoba Student Aid (MSA), a provincial government program which lends money to post-secondary students, accidentally released over 700 student email addresses to the public.
An email message was sent out to current aid recipients, inviting them to participate in a third-party survey run by Higher Education Strategy Associates (HESA). Instead of being individually and privately addressed to students, recipients of the email were able to see each other’s addresses.
The message was delivered to at least 299 individuals, but a provincial government spokesperson recently told the Manitoban that a total of 739 students were affected by the security lapse.
“Aside from the email addresses, no other personal information was contained within the email[s] [ . . . ] it is not possible to access any student aid information through this email address,” said the spokesperson.
Despite this claim, many of the Gmail account addresses were linked to users’ personal Google+ social network pages. In addition, depending on the email client, a large number of addresses also displayed the first and last names of the address holder.
The spokesperson from the province explained that, “the [email address] list was randomly generated from the list of students who have applied to Manitoba Student Aid since August 1, 2013.”
“This list does not confirm [whether] a student did or did not receive student financial assistance – only that he or she applied,” and therefore does not link to “anything including province/school of study, residency, income level, or any other demographic information,” the spokesperson continued.
However, the list of recipients included nine University of Manitoba student email accounts, which obviously indicate the province and school of study.
Following the first email, a second was sent out, declaring that the sender “would like to recall” the first message. This second email also displayed the email addresses of all recipients. A day later a third correspondence was sent out, this time with names and email addresses hidden.
“We understand that you are very concerned about protecting your personal information. Please be assured that, aside from your email address, no other personal information was contained within the email,” read the third message.
The third and last email goes on to inform students that the efforts taken to recall the messages revealing their email accounts were largely unsuccessful. The security failure was explained as being a result of the recipient’s email addresses not being placed in the BCC box of the email, thus allowing recipients to see each other’s addresses.
The Manitoba spokesperson went on to say that, “the error was identified that same day [ . . . ] and the Ombudsman was immediately contacted and advised of the situation.”
When asked how individuals would know whether they were among those affected by this leak, the spokesperson said, “[students] would have received an email and an apology.”
Individuals concerned with the information release have the right to file a complaint with the Manitoba Ombudsman, the public official charged with investigating complaints against government institutions.