Potential NUI Galway data breach puts students’ information at risk

The breach is due to the loss of a USB stick

The National University of Ireland, Galway (NUI Galway) have suffered a potential data breach which poses a risk to students’ names, student numbers, and exam results.

In a statement issued on their website, NUI Galway announced that a USB stick was potentially used to store a confidential file containing a list of students, along with their student numbers and exam results. The USB stick has since been misplaced and its current location is unknown.

The statement detailed: “NUI Galway recently suffered a potential breach of personal data whereby a non-encrypted portable device (USB stick) was potentially utilised to store a confidential file containing a list of students.  The device was mislaid and is now presumed lost.”

“While the University is unclear on the contents of the portable device, it may have held a file containing names of approximately 5% of the student body, their student number and exam results.”

An estimated 5% of NUIG students are included on the affected list. NUI Galway has notified all students who may have been impacted by the potential breach.

NUI Galway has reported the incident to the Office of the Irish Data Protection Commissioner, who is providing guidance on the matter to the university.

The university expressed its intent to undertake a review of their data protection policies and procedures to ensure that similar incidents do not occur in the future.

NUI Galway Students’ Union (NUIGSU) President Megan Reilly issued an optimistic response and suggested a student-inclusive reaction to the issue, stating: ‘“We are going to ensure that students are part of the review process so that a breach like this doesn’t happen again.”

NUI Galway did not respond to a request for comment.

Concerns regarding student’s data protection in Ireland have been raised in recent months following several instances of data breaches. In late August, University College Dublin Students’ Union (UCDSU) voiced strong concerns regarding the way in which data was stored in the online system for Student Leap Cards. The system allowed Leap Card staff members to access the personal details of a student, including an email address, phone number, date of birth, and home address, by inputting a six-digit code.

As the first few digits of a code was entered into the search, a list would be produced of students whose number matched the inputted sequence, which would reduce as the member of staff filled in all of the six digits. This would potentially allow the staff member to access a wide number of students’ information while conducting a search for a specific student.

Trinity Sport are expected to present a report to the data Protection Commission after the personal data of over 168 sports scholarship applicants were leaked last month. An email issued to students during the final stages of the awarding office saw the wrong form mistakenly attached to the email, which allowed recipients to access a database of applicants’ personal information.