An errant email leaked academic information on every student at the Cal Poly Pomona College of Science, in California.
University publication Poly Post reports that it was, of all people, the American school's computer science department that was to blame for the exposure of 4,557 active student records in an email that got sent out to other students – and was later partially posted to the forums of Reddit.
The data leak occurred on January 28, when an administrator with the uni's computer science department intended to send its 940 students each a separate email containing their individual academic records. It seems that, by accident, attached to that email was a spreadsheet containing the academic details of everyone in the college of science.
While there was no particularly sensitive information in this spreadsheet (i.e. social security numbers or home address), the spreadsheet did contain records including students' current academic standing and their grade point average (GPA).
While the email was reportedly spotted and withdrawn less than an hour after it was sent, at least one of the students who received the email was able to save the information and post it to Reddit as an infographic.
"The University took immediate measures to delete the emails, but we cannot confirm whether any identifying information was downloaded or shared on platforms outside the University’s control," the administration said in an email to students (the school provided a copy to The Register).
Q. What do you call an IT admin for 20-plus young children? A. A teacherREAD MORE
"All active students in the College of Science were notified of the incident the morning of January 29 and instructed to contact the Registrar’s Office regarding questions or concerns. The University has begun a comprehensive review of our practices regarding the sharing and accessing of personal information. Revisions to our policies and practices and other steps the University will be taking to ensure the privacy of information will be shared regularly with the campus community."
That any information was leaked is bad enough, but for the leak to happen at the computer science department of Cal Poly, a noted science and engineering university, is - to say the least - highly embarrassing.
The incident is also leading security experts to question the school's record-keeping and data security policies.
"Accidents happen, but you have to wonder why sensitive data was stored in a spreadsheet in the first place," Stealthbits Technologies VP Martin Cannard said in a statement provided to El Reg.
"Perhaps data was exported for mail merge but any student information over and above what was required should have been removed as a matter of due diligence."
Let this be a reminder: always, always, double-check before hitting the "send" button. ®