A security setting on the MyFile application that is part of York’s Student Information System Document-on-the-Web service was unintentionally configured incorrectly in a manner that could be misused by manually altering web query parameters to allow an authenticated York applicant to potentially access documents uploaded by another applicant.
Over what time period did this issue exist?
The MyFile setting error existed between Jan 25, 2019 and Dec 8, 2020. The period of time of possible inappropriate access is between Jan 25, 2019 and Dec 8, 2019. Exposure of any specific document was only possible for a maximum of two days after upload. Due to the nature of the issue and the lack of misuse over the period of time for which we can verify access, we believe the likelihood there was any inappropriate access over this period to be very low.
What documents were potentially exposed?
Documents uploaded by individual applicants using the Student Information System Documents on the Web application (SIS DOW) to upload documents to MyFile. The documents uploaded varied, but fall within the following categories: transcripts, letters, CVs, supplementary application information, written work and course descriptions.
Notifications have been sent to all users of this tool who uploaded documents during the time of potential exposure. If you’ve been notified but are not sure which of your documents were potentially exposed, a tool has been created to allow users of MyFile tool to see what documents were uploaded during this period. Please refer to your email/letter for the link.
What was done to address the issue?
As soon as the issue was reported on December 8, 2020, the IT support team took immediate and appropriate action to remediate the root cause of the problem to eliminate any further potential for misuse. A fail-safe component was added to prevent access even in the event of a similar misconfiguration, and the duration of time documents are in holding prior to upload into the system has been reduced from two days to a maximum of one hour.
Was this a cyber-attack? Did this target anyone specific?
This was not a cyber-attack against the University; the issue was an incorrect setting in MyFile and affected only those using the system in question. The applicant who discovered the issue immediately reported it and that remains the only known instance of anyone inappropriately accessing documents. There is no evidence any cyber-criminals were aware of the issue or attempted to misuse it to access data.
I received a notification email/letter, but I do not remember which documents were affected. How can I find this info?
A tool has been created to allow users of MyFile to see what documents they have previously uploaded. You may use this tool to confirm what documents were uploaded and when. Refer to your email/letter for the link.
What did the University do when it learned about the incident?
We take the privacy of personal information of our students, faculty and staff very seriously. As soon as the issue was discovered, and the cause identified, the University took the following steps:
- Notified the University’s Information, Privacy & Copyright Office and senior administrators about the incident;
- Began a detailed investigation to determine the exposure of information;
- Contacted the individual who accessed the records to confirm that the information was not distributed or made use of, and had been destroyed; and
- Corrected the configuration error and added additional precautions to prevent such an error from occurring in the future.
How do I protect myself from potential misuse of data?
Although Social Insurance Numbers and other sensitive financial information were not at risk in this incident, as a general practice, we recommend that you carefully check your credit reports for accounts you did not open or for inquiries from creditors you did not initiate. If you see anything you do not understand, call the credit agency immediately.
If you have immediate questions about your privacy at York University, contact firstname.lastname@example.org.
As an additional precaution, you may wish to visit https://www.ipc.on.ca/privacy-individuals/ to find additional information and resources from the Privacy Commissioner of Ontario to help individuals protect their identities. You may also file a complaint with their Office; information may be found on their website at https://www.ipc.on.ca/guidance-documents/forms/.