By Anastasia Blosser, Dexter LeRuez and Gabriela Silva Ponte
The Toronto Metropolitan Students’ Union’s (TMSU) health and dental benefit provider, Gallivan, experienced a data breach that could have exposed Toronto Metropolitan University (TMU) students’ private information.
In an email sent to some students in early October, the TMSU said this privacy incident involved one of Gallivan’s third-party service providers. Student numbers, names and dates of birth could have been disclosed. The email also said Gallivan was informed of the breach on March 10.
According to a TMSU statement emailed to The Eyeopener, the students’ union was notified back in June that student data may have been exposed.
Most students did not receive an email alerting them of the breach until Oct. 4, three months after the TMSU was made aware, while others were never told at all.
Any students registered for the Fall 2022 session could have been affected, the TMSU said in the emailed statement.
Students at the University of Guelph and Western University were also affected by the breach but were informed in July.
In the emailed statement to The Eye, the TMSU said it took longer to notify students at TMU because the school “has a robust security process in place” and therefore, it took time for them to receive student email addresses.
“This level of information sharing from TMU to TMSU is not a common occurrence and a great testament to the priority and level importance with which the matter has been dealt,” the TMSU said in the statement.
Data exposures are not uncommon for universities because they are common targets, the TMSU said in the email to The Eye. They said the incident has also affected over 100 organizations worldwide.
The TMSU also said that Gallivan is no longer using the third-party service provider and reported the incident to the office of the Privacy Commissioner of Canada, as well as the relevant provincial authorities.
“At the moment, there is no evidence that students’ personal information has been misused or further exposed,” the TMSU’s statement read.
The Eye reached out to Gallivan for their comment, but did not receive it in time for print publication.
Sam Andrey, the managing director of The Dais—”an action-oriented public policy and leadership think tank at TMU” as stated on their website—said a date of birth could be used as an identifier by some websites. With a combination of other leaked information, identity theft could occur, he said.
“I think the likelihood that this could be used by itself to do any kind of identity theft or that sort of thing [is] pretty low,” Andrey said.
Despite the TMSU’s reassurance and expert’s belief that the leak’s impact is minimal, many students are still concerned about the safety of their private information.
Third-year sociology and history student Zoë Mitchell said the news was disappointing.
“I don’t think I’ve given any [critical] data to our health care [provider], but in terms of it coming within TMU’s jurisdiction, that’s really upsetting,” she said.
Second-year math and its applications student, Kerry Tan, agreed.
“I definitely would not want the university to hold specific [private] information [after the incident],” said Tan.
John Marquez, a first-year psychology student, said online security is important to him and was concerned when he heard about the breach.
“That’s pretty sensitive information that I wouldn’t want other people to know about,” he said.
Marquez said the situation is worrying and has lowered his trust in the health insurance’s security.
“People put their trust in public institutions to safeguard their information,” said Andrey. “When that trust is broken, it can undermine a whole variety of things.”
TMU president Mohamed Lachemi distanced the school from the data breach.
“As an entity that is separate from TMU, the TMSU has its own governance structure, bylaws and agreements with third parties,” he said.
Lachemi said TMU has a strong cybersecurity program in place.
“The fact that [students] have to use two-factor authentication when [they] log in to TMU services is one example of that,” he said.
Lachemi said it is prudent for TMU students to protect themselves, including the use of credit monitoring services.
Following the incident, Gallivan and the TMSU are working to provide affected students with resources to protect themselves against identity theft and fraud.
Those affected will be receiving an email containing an activation code for an online identity protection service provided by Gallivan, according to the TMSU’s email to students. But, students with minimal or no credit history will not be eligible.
Additionally, identity theft prevention will be provided to students through CyberScout—a cyber protection service provider—for one year with call centre agents available to provide answers to questions about cybersecurity.
“It’s a good way for students to check if people are using their personal information in a potentially nefarious way,” said Andrey. “That’s something to follow up on if students are worried about [identity theft].”
Andrey mentioned the security incident is a reminder for students to practice good “cyber hygiene.”
“Regularly change your passwords, don’t use the same password for multiple [sites], use two-factor authentication where you can, things like that,” he said.
Correction: A previous version of this story included a different headline. The headline has now been updated to be a more accurate representation of the story. The Eye regrets this error.