back to article Uni staffer's health info blabbed in email list snafu

The University of East Anglia has been involved in a personal data breach for the second time in five months. Around 300 postgraduate students in the received an email on Sunday 5 November which contained "personal information about the health of a member of staff", due to the accidental use of an email distribution list. UEA …

  1. JimmyPage Silver badge
    WTF?

    Sorry, is this El Reg or "Take a Break" ????

    UEA's IT department responded by remotely extracting the email from the accounts to which it had been sent.

    What does that even mean ? They just did a Microsoft Exchange "recall" ? What about non-exchange mail servers ? What about people who use Outlooks preview feature (which bypasses the "recall" feature, as many a co-worker discovered when I saw "recalled" emails).

    1. Korev Silver badge

      Re: Sorry, is this El Reg or "Take a Break" ????

      I think the recipients of the email were all students, so presumably they all use UEA's email system.

      1. Dabooka

        Re: Sorry, is this El Reg or "Take a Break" ????

        @Korev

        Swing and a miss. Kinda....

        I'd guess 99% of our students use auto forwarding to the email service of their choosing. Typically they log in once and immediately set the feature up. Many staff do this in induction as they'd rather know the email gets through rather than languishing in the system they never check

        1. Anonymous Coward
          Anonymous Coward

          Re: Sorry, is this El Reg or "Take a Break" ????

          @Dabooka

          "Many staff do this in induction"

          Are you speaking specifically about UEA with first hand knowledge?

          It would be somewhat worrying if this was the case and was permitted. It is perfectly possible to prevent staff doing this in Exchange and something that really should be implemented in organisations subject to the DPA.

        2. Korev Silver badge
          Windows

          Re: Sorry, is this El Reg or "Take a Break" ????

          When I was there it was Pine on OSF1*, none of this mouse-drive nonsense!

          I can still recall the hostnames, does that make me a bit sad?

        3. Anonymous Coward
          Anonymous Coward

          Re: Sorry, is this El Reg or "Take a Break" ????

          I have no opinion about students but I'm pretty sure allowing staff to auto forward their emails is a bad idea.

      2. Quentin North

        Re: Sorry, is this El Reg or "Take a Break" ????

        Nope, they all use Office 365

    2. Swarthy

      Re: Sorry, is this El Reg or "Take a Break" ????

      That's why the University asked everyone who received the e-mail (probably in a follow-up mail (and please, for the love of everything, not a "forward" with the original attached/appended)) to not read it, delete it, and delete any copies. Because asking is actually more effective than the Recall, and that is horrifying.

    3. Phil W

      Re: Sorry, is this El Reg or "Take a Break" ????

      "What does that even mean ?"

      Most likely it means running a PowerShell script to delete the message from the mailbox of all the recipients. This is emminently doable, and wouldn't even take too long in a case like this where the list of recipients can be easily retrieved from the sent item/distribution list.

      It is unfortunate that the University allows the students to create forwarding rules outside their domain, as it just adds to the problems in cases like this. One would hope that the staff are prevented from doing this.

      1. Quentin North

        Re: Sorry, is this El Reg or "Take a Break" ????

        Most universities provide students with either Office/365 or Google Mail as their student email system. Typically the university won't have much control over the end point once delivered as from a MS/Google perspective the contract is with the student as an individual rather than the university..

        1. Adam 52 Silver badge

          Re: Sorry, is this El Reg or "Take a Break" ????

          "contract is with the student as an individual rather than the university.."

          I don't think that's ever been tested in court, and I suspect that the big SaaS providers really would rather that it never is.

          1. Anonymous Coward
            Anonymous Coward

            Re: Sorry, is this El Reg or "Take a Break" ????

            "contract is with the student as an individual rather than the university.."

            As said above this has never been tested in court, however while they are active students the University is likely paying for the students to have premium Office 365 features but will cease doing so after graduation leaving them with just a basic free account.

            I would imagine legally this means the contract is with the University for as long as they are paying for it.

            1. Anonymous Coward
              Anonymous Coward

              Re: Sorry, is this El Reg or "Take a Break" ????

              "The University is likely paying for the students to have premium Office 365 features"

              Microsoft and Google both do provide their email systems to universities for "free" (ie, if you're not paying for the product, you ARE the product)

              To my knowledge, whilst there are contracts in place no money has changed hands.

              The odds of such "free" services remaining "free" is a matter of debate - and many univeristies have no "backing out" policies, or have even taken the simple expedient of setting up something like imap/smtp.university.ac.uk as a CNAME pointing to the google or MS servers - which would mean simple rehousing of the services, rather than having to tell large numbers of people to reconfigure their mail clients.

  2. Anonymous Coward
    Anonymous Coward

    UEA

    The UEA use Microsoft 365 so I would imagine most students would be accessing their UEA email via one of the computers on the campus through the online portal provided.

    Anonymous? .. of course

    1. Quentin North

      Re: UEA

      I think thats probably not the case. I think most students will be using their phone or laptop, neither of which will be managed, and the Office/365 account is an individual contract with MS, albeit facilitated by UEA. In short I don't think they will be able to run some powershell against student mailboxes.

      1. Stevie

        Re: UEA

        My experience of Office 365 is that it is so slow and useless I'm surprised whoever it was managed to compose the email and get it out in the first place.

        "Mark all as read" frequently causes the system to become unresponsive for 30 minutes or more.

        "Manage rules" pops up a freaking MODAL window at every stage, including the "updating server" message, so nothing can be done while it is deciding whether to hang or not.

        Slow network doesn't help, but there were serious lack of smarts at work when the client processes were being "thought" out. Thunderbird is way more civilized when it comes to not locking up the entire application with unnecessary modal wiindows.

        1. Alan Brown Silver badge

          Re: UEA

          "My experience of Office 365 is that it is so slow and useless I'm surprised whoever it was managed to compose the email and get it out in the first place."

          In many cases it's still better than the mail systems it replaced - but they were so bad because university administrations wouldn't pay for server upgrades. (and there's a lot of speculation that most deals were agreed via a handshake on a golf course rather than actual business cases)

  3. Terry 6 Silver badge

    What year is this?

    It's not as if sending to a list instead of an individual was exactly a new risk. And staff of everywhere have no excuse whatsoever to make that mistake. Even once.

    1. Anonymous Coward
      Anonymous Coward

      Re: What year is this?

      Human beings, huh?

    2. DNTP

      Re: What year is this?

      I know a salesperson who was literally just fired for sending a lengthy quote intended for a single client with special financial qualifications, to what obviously was his entire customer mailing list.

  4. caffeine addict

    Any email that goes to a distribution list of more than 50 people needs a maths check (even "whats 5+3") to stop people sending it without thinking. Any email intended to go to more than 50 people (not on an official list) should just bring up an alert that says "stop it, go find a real mass mailer".

    It's been like this since I joined the workforce. How has no-one fixed this kind of thing in the last 25 years?

    1. Quentin North

      universities are strange places, and emailing 300 people in one go is a common thing.

      1. Pompous Git Silver badge

        "universities are strange places, and emailing 300 people in one go is a common thing"
        This is very true. Strange thing happened at UTAS on Wednesday; email went down for several hours. The Hobart Mercury (aka The Mockery) yesterday reported that this was due to an "interruptible (sic) power supply catching fire".

    2. DNTP

      How has no one fixed this

      Techies who implement any kind of thought-process check step for an IT function inevitably get yelled at by the Director/CEO/President of their company that it's a huge inconvenience, and they either decide humanity isn't ready for the idea or they get canned.

      Then their company appears in the tabloids for, say, the CFO wiring the company's entire balance of liquid funds to a Nigerian prince by accident, and then the inevitable executive spokesperson whining about how there should have been technological safeguards, etc.

      1. Daedalus

        Re: How has no one fixed this

        The best way to get something past TPTB is to present it via an animated paper clip.

        "Hello! You appear to be trying to wire money to a Prince in Nigeria. Can I help you with that?"

  5. Stevie

    Bah!

    What a great day. No problems at work, rotten weather finally clearing up, daft "no-dropbox due to no bandwidth or firewall clearance for dropbox on work net & not enough hours in day or bux in the plan to sync over my portable hotspot every day" solution to not carrying essential laptop* to and from work while I have back trouble working like a charm** and even that old Climate Scandal is blowing off my alma mater, good old UEA.

    I'll just prop me feet up and fire up the laptop for some unauthorized El Reg time and - D'OH!

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    * - the only way to get manuals from IBM and Oracle (work firewall rejects download attempts, as these fine establishments keep everything as zip files and The Firewall Boss knows that all evils come from zip files no matter who is peddling them, no exceptions allowed no not even IBM or Oracle now go away), search forums for solutions (FWB feels that forums are if anything one step worse than zip files as vectors of evilness and forums aren't work related and go away again) and remote link to work with useful stuff made during the day already to hand 'cos I have better editors on my laptop than on my workstation. Without this laptop and my hotspot it'd take days to solve problems I get sorted in less than an hour (when I can get a decent signal). Not to mention being able to read El Reg when I want to.

    ** - I bought a second refurbished laptop of the same model for under $300 and just schlep the old harddrive from home to work and back. Yes it's dumb. But it is cheaper and faster and more reliable than trying to do the cloudy thang over my hotspot.

  6. kain preacher

    I wan't to say how do things like this happen. Then I'm reminded of the phrase, when you make some thing idiot proof they build a better idiot.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like