Privacy breach at MacEwan

October 4, 2007

By Jeremy Loome, Legislature Bureau

A city college chose not to inform students and others whose personal credit information was left publicly available through its Internet site, it has confirmed.

MacEwan College was cited in the auditor general.s report this week after a tipster told the AG.s office about the security breach in 2006. It mirrored access problems in 2002-2003, the AG's report confirmed.

The college chose not to tell those whose personal information was included in the accessible journal entries based on an assessment of risk by its Freedom of Information and Protection of Privacy office, said MacEwan spokesman Gordon Turtle.

Turtle said that.s because the information was of such a specialized nature that unless the person viewing it was an accountant, they.d have a hard time realizing what they were looking at.

"It would be like looking for a needle in a haystack," he said.

According to the auditor general's investigation, the breach included computer scans of .employee and student information such as credit card numbers, copies of cheques, signatures, addresses, as well as college information such as bank account numbers and deposit receipts..

Initially, the school made the information accidentally accessible from 2002-2003 by mistake and externally. Once it was spotted, the information was restricted to the college's internal network. But students could still access the information via the college's computer labs.

Turtle said the college.s information technology team discovered an external breach again last year and tied it to software installed about six weeks before the problem was identified to them.

Public institutions engender trust, and that.s just one of several reasons why students should have been told, even if the college was confident the breach was minor, said MacEwan Student Union president Justin Benko.

"Based on what the auditor report says, if bank account information and credit card numbers and signatures were readily available and obvious, there should've been something said," he said.

Vivek Dharap, executive director of information systems auditing for the Auditor General.s office, said after finding out about the problem, the AG.s office contacted the school and it immediately closed off access.

Regardless of how long the information was available, Alberta.s information and privacy office encourages anybody who releases personal information accidentally to tell those who may have been affected, said spokesman Marylin Mun.

main page ATTRITION feedback