Issue 1779 News

"Enormous" data breach result of Imperial College blunder

Felix has discovered that Imperial College London accidentally released the personal data of thousands of students

"Enormous" data breach result of Imperial College blunder

Felix has discovered that Imperial College London accidentally released the personal data of thousands of students, including at least their full names, UCAS numbers, dates of birth, home addresses, ethnicity, telephone numbers and the room number they stayed in when in halls.

The data was made accessible by the College’s Freedom of Information (FOI) team in the form of an Excel spreadsheet, where it appears rows containing sensitive data were hidden but not deleted.

The data was made available on the website WhatDoTheyKnow.com (WDTK), where it was publicly available for anyone to download for nine days, before being flagged by the person who made the request and subsequently removed from the site. The data was available from the 14th to the 23rd of June 2021.

The requester was approached for comment.

WhatDoTheyKnow.com is a website designed to make responses to Freedom of Information requests public. Any member of the public could have downloaded and saved this data during this timeframe.

The original request, titled ‘Data by college halls’ asked:

For all undergraduate halls, for the last 5 years, could you please provide for each individual hall:

- Number of students by each subject (eg: 100 computing, 25 physics)

- Number of students by fee status (Home/EU/international)”

A further request for the percentage of students by age and gender was made later the same day.

The person who made the original request described the mistakenly uploaded data as containing “thousands of rows of student records - including full names, UCAS numbers, DOBs, room numbers, home addresses, ethnicity, and telephone numbers”. 

When asked for comment, Imperial College declined to specify exactly what data was included in the breach, or how many students’ details were included. If the data leaked was comprehensive for all students included in the original request, this would have been the data for every student who stayed in halls of residence at Imperial College in the last 5 years.

Once the requester of the FOI had pointed out that the document sent contained such a considerable amount of personal data, the College’s FOI manager, who we have chosen not to name, responded to say they could not see any personal data included in the spreadsheet. Only when the requester explained how they had viewed the personal data did the FOI team accept that a breach had occurred and asked the user to delete the document from their device.

A WhatDoTheyKnow volunteer described the breach as “significant” and said it involved “enormous amounts of personal data, including highly sensitive personal data”. 

When asked for comment, an Imperial College spokesperson said “As soon as we were made aware of this breach we immediately self-reported to the ICO who have since confirmed that they are content with Imperial’s response and will take no further action”. This comes in contrast to the correspondence on WhatDoTheyKnow.com, where it appears that when the original requester highlighted the breach, the College’s FOI team responded by saying, incorrectly, that no personal data was included in the document. 

When asked whether any attempt had been made to notify the students whose data was included in the breach, a college spokesperson responded by saying that “the data was only accessed by the requester and College and WDTK staff who were working to resolve the issue”, and that “The ICO’s regulatory guidance advises against notifying individuals in such circumstances”. Confirmation that no one had downloaded the data other than the original requester was gained through collaboration between Imperial College and WDTK.

The spokesperson also added that the College “have implemented a series of additional measures to prevent this happening again”, though did not elaborate on what these were.

This statement follows another potential data breach, which for sensitivity reasons cannot be detailed, which occurred after the breach in question.

When informed of the breach, Imperial College Union commented “The Union was concerned to learn of this incident, which could easily have led to the breach of a significant amount of student personal data. We hope the College will seriously review its processes for handling student data in light of this and other incidents”. When asked whether holding the College simply to the letter of the law in terms of data protection was enough, the Union added “This narrow aversion of disaster shows that adherence to regulatory requirements is clearly not a sufficiently high bar - the College should be far more proactive in protecting students’ personal data”.

Imperial College declined to comment on whether the personal data of anyone seeking refuge or otherwise protected was included in the breach.

Imperial College declined Felix’s request for interview.