University initiates plan to notify those potentially affected
TORONTO, Feb. 23 /CNW/ - Ryerson University today initiated a plan to
notify individuals whose personal information may have been exposed due to an
isolated software error discovered in the University's Student Administration
System (SAS) which went live with an upgrade on November 17, 2008.
Ryerson became aware of the incident when three students voluntarily
contacted the University and provided information about the error in late
December and early January. Collectively, the information of 588 individuals
potentially was exposed when the three students encountered the software
error. The personal information that may have been viewed consisted of a
varied combination of name, gender, date of birth, student number, mailing
address, email address and, in many cases, Social Insurance Number.
"Ryerson places the highest importance on the privacy and security of all
personal records," said Heather Driscoll, Information and Privacy Coordinator.
"After the students contacted us, we began an internal investigation. On
January 9, Ryerson installed a software patch it had designed to address the
error. We subsequently engaged Ernst & Young, Information Management and
Analysis Group, to assist us with the investigation."
Based on repeated testing, both internally and by Ernst & Young, it has
been determined that the Ryerson software patch addressed the vulnerability
and that there is no indication the error has recurred. Ryerson has no reason
to believe there has been any misuse of the personal information in question.
Ernst &Young has confirmed that up to 363 other individuals, while
electronically registering for courses at Ryerson between November 17, 2008
and January 9, 2009, may also have had the ability to view the personal
information of others in the SAS database. As part of the continuing
investigation Ryerson has retained the services of Ipsos Reid to contact each
of the 363 individuals to obtain information on their experience when
attempting to register.
"As standard protocol, we have initiated a plan to notify the 588
individuals potentially affected," said Driscoll. "We have informed the Office
of the Information and Privacy Commissioner of Ontario. And in light of this
incident, again as standard practice, Ryerson is reviewing applicable privacy
and security policies and procedures and will appropriately enhance them where
Added Driscoll: "The three students who initially contacted us have been
commended by Ryerson President Sheldon Levy for their initiative, integrity
and sense of responsibility."
For information on Ryerson's Information Protection and Access Policy:
For further information:
For further information: Janet Mowat, Public Affairs, Ryerson
University, Tel: (416) 979-5000 ext. 7002, E-mail: firstname.lastname@example.org; Heather
Kearney, Public Affairs, Ryerson University, Tel: (416) 979-5000 ext. 4282,