The University of East Anglia has paid out £142,512 to students after their personal details were mistakenly sent to hundreds by email.
The amount paid by insurers on the university’s behalf was revealed following a freedom of information request by the university’s student newspaper, Concrete.
According to the university, the breach occurred in 2017 after an email autofill function suggested a group email address which a UEA staff member incorrectly selected when attempting to send the file to a colleague.
The file, a spreadsheet which was not password protected, was sent to 298 people. It listed students' extenuating circumstances (personal circumstances which might affect a student’s performance in assessment or examinations).
An independent internal auditor’s report found that: “[Instead of using email,] the shared drive should have been used for sharing the information, the attachment should have been password protected and the University’s email infrastructure could have been configured in a way which, while less convenient, would have reduced the prospect of an incorrect address being selected and, in particular, an address which was a group email.”
The report added: “All of these issues are being addressed by the University.”