The external hard drive that went missing at the beginning of September contained information on approximately 900 current and former U of O students. Photo: Matthew Zucca.
Reading Time: 3 minutes

University investigates missing hard drive estimated to contain personal information of 900 students 

On the evening of Sept. 21 the University of Ottawa announced that it was investigating an external hard drive that went missing earlier this month, which contains information on approximately 900 students.

The information in the hard drive pertains to current and former students at the university who used the Student Academic Success Service’s (SASS) Access Service to obtain academic accommodations due to mental or physical disabilities. A press release from U of O media relations states that all students potentially affected by the breach are being notified via email.

In an email to the Fulcrum, U of O media relations acting manager Isabelle Mailloux-Pulkinghorn said that students are only at risk of being affected if they accessed accommodation services “between 2013 and September 2016.”

A student at the U of O’s Faculty of Law, who requested to remain anonymous, told the Fulcrum that they received an email notifying them of the breach which stated that the university had been made aware of the missing hard drive on Sept. 1. The student said that if this sort of incident happens again in future, they would like to see it “immediately” reported to students.

A second-year student at the Telfer School of Management, who also preferred to be unnamed, received an email indicating that his private information may have been affected, and said in an email to the Fulcrum that he is “appalled that an organization handling confidential medical documents would be so reckless.”

“If an organization is going to demand to have detailed medical information then they better be able to keep the information safe and secure,” he said.

“Once the information is out there it can’t be fixed. These aren’t passwords or credit card numbers, it’s sensitive medical information. The information that Access Service has is information that is kept confidential for a reason. I’d be scared at even the slightest chance that an individual with malicious intent could potentially access it.”

The student also believes that to prevent this from happening again in future, the university should start by “never storing sensitive information on an external hard drive.”

According to Umar Ruhi, assistant professor of information systems and e-business at the Telfer School of Management, external hard drives are not the best option for the protection of data stored by organizations like the U of O.

“External hard drives may be OK for personal backups at your home when both convenience and contingencies are important considerations,” said Ruhi. “However, it makes no sense why external drives would be used in a corporate environment.”

According to Ruhi, in the realm of information security, “confidentiality, integrity, and availability” are three main objectives that must be satisfied.

“Backups improve the availability of your systems and information. However, when someone physically runs away with your hard drive, you pretty much didn’t do a good job about ensuring availability.”

Ruhi says that for highly sensitive information, using multiple levels of encryption is always recommended. However, U of O media relations did not confirm whether the external hard drive at Access Service was protected through encryption by the date of this publication.

“Ultimately, security requires technical controls as well as formal controls at the organizational level to make sure that only authorized people are able to access the data and the devices on which the data resides. This was clearly not the case here,” said Ruhi.

The university has reported the incident to the Ottawa Police Service and the Information and Privacy Commissioner of Ontario, and stated that measures have been enacted at SASS to prevent future breaches, although they have not confirmed what these measures would be.

The university’s investigation is described as “ongoing,” and with a main objective of determining what personal information specifically has been accessed. The university is also offering an information line to affected students to support them through the investigation.

This article was last updated on Sept. 27, 2016.