WHAT HAPPENED?
A security setting on the Supplementary Information and Additional Information forms (AIF), part of York’s admissions process, was unintentionally configured incorrectly in a manner that could be misused by manually altering web query parameters to allow other York applicants to potentially access information uploaded by an applicant.
OVER WHAT TIME PERIOD DID THIS ISSUE EXIST?
The form setting error existed between November 9, 2016 and May 27, 2021. The period of time of possible inappropriate access is between November 9, 2016 and May 27, 2021. Due to the nature of the issue and the lack of misuse over the period of time, we believe the likelihood there was any inappropriate access over this period to be very low.
WHAT INFORMATION WAS POTENTIALLY EXPOSED?
Information provided by individual applicants using the forms was potentially exposed. The forms included free-form type fields. Information provided by applicants varied but fall within the following categories:
- Full name
- Phone number
- Email address
- Student / Applicant ID
- Date of birth
- Academic History
- Extra-curricular and Leadership Experience
- Additional information
Notifications have been sent to all users of these forms who provided information during the time of potential exposure. If you’ve been notified but are not sure which of your documents were potentially exposed, please contact admforms@yorku.ca.
DID THIS EXPOSURE IMPACT MY ADMISSIONS?
No. Information provided in the Additional/Modified Information form and the Transfer Credit Form is assessed on a case-by-case basis. The Admissions team does not compare information across records and your information was only used by staff to review your specific application.
WHAT WAS DONE TO ADDRESS THE ISSUE?
As soon as the issue was reported on May 27, 2021, the Information Technology support team took immediate and appropriate action to remediate the root cause of the problem to eliminate any potential for misuse. The forms were immediately taken down and fail-safe measures were added to prevent access even in the event of a similar misconfiguration.
WAS THIS A CYBER-ATTACK? DID THIS TARGET ANYONE SPECIFIC?
This was not a cyber-attack against the University; the issue was an incorrect configuration in the creation of the forms and affected only those using the forms in question. The applicant who discovered the issue immediately reported the issue and that remains the only known instance of anyone inappropriately accessing documents. There is no evidence any cyber-criminals were aware of the issue or attempted to misuse it to access data.
I RECEIVED A NOTIFICATION EMAIL/LETTER, BUT I DO NOT REMEMBER WHICH DOCUMENTS WERE AFFECTED. HOW CAN I FIND THIS INFO?
You may contact admforms@yorku.ca to confirm what information was provided and when.
WHAT DID THE UNIVERSITY DO WHEN IT LEARNED ABOUT THE INCIDENT?
We take the privacy of personal information of our students, faculty and staff very seriously. As soon as the issue was discovered, and the cause identified, the University took the following steps:
- Notified the University’s Information, Privacy & Copyright Office and senior administrators about the incident;
- Disabled further use of the form and removed it from the web;
- Began a detailed investigation to determine the exposure of information;
- Contacted the individual who accessed the records to confirm that the information was not distributed or used, and had been destroyed; and
- Corrected the configuration error and added additional precautions to prevent such an error from occurring in the future.
The forms remain disabled and will not be re-activated. Alternate forms will be created and integrated directly within secure systems.
WHO WAS INVOLVED IN THE INVESTIGATION AND WHAT DID IT ENTAIL?Several teams across the University, including University Information Technology, Office of the Vice-Provost Students and the Office of the University Registrar were mobilized to identify steps to address this issue. To ensure that the investigation was thorough and complete, the University took a rigorous, multi-step approach to gather, analyze and evaluate data. This process required manual data analysis and verification procedures to ensure validity of the data.
HOW DO I PROTECT MYSELF FROM POTENTIAL MISUSE OF DATA?
No Social Insurance Numbers or other sensitive financial information were at risk in this incident, although as a general practice, we recommend that you carefully check your credit reports for accounts you did not open or for inquiries from creditors you did not initiate. If you see anything you do not understand, call the credit agency immediately.
If you have immediate questions about your privacy at York University, contact info.privacy@yorku.ca. If you have immediate questions about this specific incident, contact admforms@yorku.ca for assistance.
As an additional precaution, you may wish to visit https://www.ipc.on.ca/privacy-individuals/ to find additional information and resources from the Privacy Commissioner of Ontario to help individuals protect their identities. You may also file a complaint with their Office; information may be found on their website at https://www.ipc.on.ca/guidance-documents/forms/.
