Email from City College officials mistakenly disclosed sensitive information of nearly a thousand students
The City College office of a state-funded program meant to support disadvantaged students inadvertently emailed a spreadsheet detailing sensitive information from 871 City students
November 4, 2021
Personal information of nearly a thousand San Diego City College students affiliated with a campus program that offers added support to economically and educationally disadvantaged students was mistakenly sent to fellow City College students last week, according to emails from San Diego Community College District officials.
In an unsigned email sent by the SDCCD on the afternoon of Oct. 27, the district notified affected students of the disclosure.
It said City College’s Extended Opportunity Programs and Services office sent an email on Oct. 26 about transfer opportunities that mistakenly contained a spreadsheet with sensitive student information attached.
EOPS is a state funded program that provides added counseling, transfer preparation and retention services to students who have may not have previously considered college an option, according to the program’s City College and SDCCD websites.
The email apologized for the mistake and noted the district is working to put safeguards in place to ensure it does not happen again.
“Please delete the email and the attached excel spreadsheet and be sure to remove it from your “trash” as well,” the district noted in the Oct. 27 email.
In a follow-up email sent on Oct. 28 to affected students, SDCCD Vice Chancellor of Educational Services Susan Topham wrote the spreadsheet listed EOPS students’ identification numbers, addresses, dates of birth, telephone numbers and email addresses.
Also included in the spreadsheet was a slew of academic information such as student’s majors, units earned and enrolled in, financial aid application status, unmet financial need numbers, academic standing with the organization and grade-point average.
“We apologize that this error occurred,” Topham wrote in the email. “SDCCD has reminded all employees of its existing policy that information including student identification numbers and other personally identifiable information not be sent via email, and the sharing of such information is only permitted via secure shared drives maintained by SDCCD.”
She also noted no social security numbers or financial account information had been included in the disclosure and that the district had no reason to believe the information would be misused.
As an extra security measure, she wrote, the district would be requiring all affected students to reset the password of their Canvas accounts, the course management system on which SDCCD students complete assignments.
Canvas’ default username and password are a student’s ID number and their birth date, respectively.
The district declined a request for an interview, but offered a statement with the opportunity for follow-up questions. In that statement, emailed by Jack Beresford, SDCCD’s director of communications and public relations, the district wrote the total number of City EOPS students affected by the disclosure was 871.
They also said the email containing the spreadsheet, which was sent to 271 fellow City students, was recalled by the sender.
“The SDCCD takes this incident very seriously and expresses its regret to all students involved,” read district’s statement. “It is currently reviewing the occurrence to assess if changes in policy and/or additional security measures are needed to ensure the confidentiality of student records.”
SDCCD utilizes Microsoft Outlook for its email needs, and although the recall feature utilized by the district does remove unopened emails from recipients’ inboxes, it only functions if the recipient also uses Outlook. According to recent studies, under 10% of consumers use Outlook.
And unfortunately, this strategy often backfires.
Non-Outlook users receive a notification when a sender attempts to recall an email, and as a recent TechRepublic article on the topic noted, “the first thing anyone is going to do when being told the sender tried to pull that email back is immediately open the email to see what they wanted to hide or take back.”
Eva Velasquez, CEO of the Identity Theft Resource Center, a non-profit organization established to support victims of identity theft, said even though the information disclosed didn’t contain the identity credentials necessary to open financial accounts, it still has value.
Velasquez said having true data about an individual could make it easier for properly motivated bad actors to circumvent fraud detection and mitigation tools.
Potentially gaining access to financial aid routing information, which is housed on SDCCD’s student portal, may present that sort of motivation. Although passwords for that portal were not included in the spreadsheet, the username for the platform is a student’s ID number, which was included.
Due to the nature of this disclosure, however, Velasquez said affected students may be at slightly less of a risk of their information being compromised.
“I guess the best way to put it is it’s the difference between a lost phone and a stolen one,” Velasquez said. “If your phone is stolen, you know that the person who now has it has nefarious intent. If it’s lost, you don’t actually know the person who now has it, what their intent is.”
“Because this was sent to students, this wasn’t out on an unsecured cloud database where anyone can see it, it’s a little harder to determine ‘what is the intent’?” she added.
While he wouldn’t speak about this specific incident, David Kennemer, director of City’s cybersecurity program, said when someone’s information is exposed it’s vital to take proactive solutions to minimize any risks.
“It is important for those who have had private identifiable information leaked to change passwords, notify the various financial institutions for potential fraud, and monitor their credit reports for any suspect changes,” Kennemer said.
These safeguards don’t account for other non-financial, reputational harms that may result from the disclosure of information like GPAs.
He directed anyone who suspects their information to have been used to open new accounts to visit the Federal Trade Commission-run website IdentityTheft.gov, where they can get a free personal recovery plan.
“Sometimes the silver lining on these events is that it serves as a wake-up call,” Velasquez added. “We have to work together to not make it easy for the bad actors.”