University pays out more than £142,000 to affected students after data breach

The amount paid by insurers on the university’s behalf was revealed following a freedom of information request by the university’s student newspaper, Concrete.

According to the university, the breach occurred in 2017 after an email autofill function suggested a group email address which a UEA staff member incorrectly selected when attempting to send the file to a colleague.

The file, a spreadsheet which was not password protected, was sent to 298 people. It listed students' extenuating circumstances (personal circumstances which might affect a student’s performance in assessment or examinations).

An independent internal auditor’s report found that: “[Instead of using email,] the shared drive should have been used for sharing the information, the attachment should have been password protected and the University’s email infrastructure could have been configured in a way which, while less convenient, would have reduced the prospect of an incorrect address being selected and, in particular, an address which was a group email.”

The report added: “All of these issues are being addressed by the University.”