The email was sent on 5 November to about 300 recipients in the social science faculty. When the error was discovered, the university sent an email apology saying that, where possible, its IT department had deleted the email sent in error because of the sensitive nature of its contents.
The follow-up email asked recipients to respect the privacy of the individual concerned, not to share the confidential data, and to delete any copies they had.
The university told the Norwich Evening News that it had contacted the member of staff to apologise and would be providing support.
“Steps were taken to recall the message as soon as possible using an automated process that can be run by a limited number of UEA employees allowing the removal of the specific email, without accessing individuals’ email inboxes,” a spokesperson said.
“The university will continue with the roll-out of our newly created action plan to prevent incidents like this in the future.”
The university also said it is looking into how and why the incident occurred and what can be done to ensure the mistake is not repeated.
But the university clearly failed to learn from a previous data leak in June 2017, when details of health problems, family bereavements and personal issues of 42 undergraduates granted extensions and other concessions were sent in error to 298 American studies students.
In October, an investigation by the Information Commissioner’s Office found that no regulatory action was needed, and the university said it was following recommendations to prevent similar leaks.
Thomas Fischer, global security advocate at data loss prevention firm Digital Guardian, said the university had failed to learn from the previous incident.
“This incident again reinforces the need for ‘data aware’ security technologies right across the education sector,” he said. “This would help to protect data at source, removing the risk factor associated with human error and insider threats.
“Had the University of East Anglia had such technologies in place, it could have prevented highly sensitive information from being sent without prior approval and prevented it from being opened by the recipients. Universities have a duty of care to their staff and students, so must better prioritise data protection so that mistakes like this don’t happen again.”
Adenike Cosgrove, cyber security specialist for email security firm Proofpoint in Europe, said the data leak at the University of East Anglia follows several cyber-related incidents hitting UK universities, and points once again to the human vulnerability.
“Data breaches are not just a IT security issue, but a fundamental data governance issue,” she said. “Organisations must combine information security with data governance programs that identify, classify and protect critical and sensitive data assets.
“Technologies like encryption and data loss prevention (DLP) provide automated controls that protect the processing and storage of confidential information. Only by leveraging technology controls can the likelihood of data exposure be reduced.”