University Statement: Information Data Breach

It came to the attention of the University of York this week that there had been an unauthorised breach of student records. This allowed access to student records without the need for authentication.

The University took immediate action to rectify this problem and we can reassure our students this is no longer possible.

However, before that action was taken, 148 individual records were accessed.

We have identified and contacted each of these individuals to inform them of the situation and have offered our full support in this matter.

The protection of all our staff and student data is of the utmost importance and we have apologised unreservedly for this breach.

We have informed the Information Commissioner and our internal auditors. We are investigating all procedures and data management systems and will undertake a thorough review of our data security arrangements. Results of this investigation, and recommendations from our Internal Auditors, will be used to make any necessary improvements to how we handle data in the future.

The student information temporarily available was:

Personal information including name, date of birth, gender, term time, home and emergency contact details (including address, home and mobile phone and email)
Course information including areas of study (but not marks), Department, College
Course supervisor, year of study and entrance qualifications
Student number, library number, user name
Part time/full time and estimated year of completion, status (Registered, on Leave of Absence etc)

There was no access to financial information, photographs, examination numbers, or information about ethnicity.

17 March 2011