Queen’s students affected by McMaster security breach

Students contacted about “unauthorized individual” who accessed personal admissions data

After a cyber intrusion at McMaster University in November, some Queen’s students have been notified their admissions information may have been compromised. 

In a letter sent from Melissa Pool of McMaster’s University Registrar to several Queen’s students who had previously applied to the University, Pool explained, “an unauthorized individual accessed a secured storage site containing certain [aspects] of your personal information.”

“The personal information that was accessed was limited to information contained in the offer of admission package that had been sent to you by McMaster in response to your application for admission. The personal information did not include any sensitive financial or health-related information,” the letter read.

According to CBC News, an 18-year-old McMaster student was arrested and charged after hacking into McMaster’s applicant information system. Constable Lorraine Edwards told reporters the student was charged with the “unauthorized use of a computer,” with further charges pending.

A university spokesperson told CBC News that 25,000 applicants were affected by the breach. 

Melissa La Rochelle, a Queen’s student who applied to McMaster in 2015, was notified of the breach. La Rochelle told The Journal that receiving Pool’s letter was “worrisome.”

“At first, I was pretty confused that I was getting a letter from them, and as I read it, it actually worried me a little bit,” she said. “Schools have quite a bit of information about students and their background (family, grades, economic status) and we should be able to trust that our personal information is secure.”

When asked if Queen’s is vulnerable to a similar intrusion, Denise Ernst, CISSP Information Security Officer, told The Journal in an email “Queen’s takes the security and privacy of student data very seriously.”

“Student information collected by the University is protected by an array of security measures, including encryption and authentication,” Ernst wrote. “Employee access to students’ personal and academic data is controlled and granted on a demonstrated need-to-know basis.”

Though Ernst said Queen’s lives up to “international best practices” when it comes to cyber-security, she acknowledged “hackers and other malicious actors frequently attempt to circumvent institutions’ security measures, leaving no organization immune.”

Ernst explained that the University is in the process of rolling out a new training course for staff and faculty, meant to “provide people with knowledge about online threats and how to protect against them.”

When commenting, be considerate and respectful of writers and fellow commenters. Try to stay on topic. Spam and comments that are hateful or discriminatory will be deleted. Our full commenting policy can be read here.