This page contains frequently asked questions regarding the privacy breach involving a trouble ticketing system used by IT Services and other departments.
How do I know if any of my personal information was included in the database?
Your personal information may have been included in information submitted to our trouble ticketing system depending on the nature of the incident, inquiry or request. People whose information may have been exposed received a letter on June 3, 2016. If you received the letter and want to further details about what personal information of yours may have been exposed, please contact us at firstname.lastname@example.org with your request.
Why was my personal information included in the database?
Your personal information may have been included in information submitted to our trouble ticketing system depending on the nature of the incident, inquiry or request.
If I suspect my personal information has been exposed, what can I do to protect myself?
To protect your identity and personal information, we suggest that you monitor personal accounts and memberships of all kinds for any unusual or suspicious activity over the next several months. This applies to University and external accounts and memberships.
When was the information in the database publicly available?
The information was available between January 27, 2016, and May 16, 2016.
How many people were impacted?
There were 20, 294 email addresses informed of the privacy breach. The list includes both internal and external addresses for many of the informed users. We do not know exactly how many people may have included personal information when requests for assistance through our trouble ticketing system.
What is SFU doing to make sure this doesn’t happen again?
To prevent further breaches, we are:
- Forming a Change Advisory Board;
- Improving our procedures for detecting unprotected databases; and
- Initiating an external audit of information security at the University, coordinated with the SFU Internal Auditor, in order to determine the areas of greatest risk. Following the audit we will take appropriate action to manage the risk.
Can you provide me with the details of my correspondence with you?
Yes, please contact us at email@example.com with this request.
Who can I contact to file a complaint about this?
You may consult the website for that Office at www.oipc.bc.ca for general information about protection of personal privacy. You have the right to complain to the Commissioner by writing to:
Information and Privacy Commissioner
PO Box 9038, Stn. Prov. Govt.
Victoria, British Columbia V8W 9A4
If you submit a complaint, please provide the Commissioner’s office with:
- Your name, address, and telephone number;
- A copy of this letter; and
- The reasons or grounds upon which you are complaining.
Has the University contacted law enforcement about this incident?
Law enforcement has not been contacted about this incident as we have no evidence that there has been any misuse of the information contained in the database.
What is the legal recourse for an individual whose personal information may have been included in the privacy breach?
The University does not provide legal advice to individuals outside of the scope of their duties as employees or agents of the University.
Is this connected to the recent spam problems?
To our knowlege, this is not any way connected to the amount of spam messages in your SFU email.
The battle between anti-spam vendors and spammers is like an arms race; each side is constantly one-upping each other. For example, the spam campaign we experienced flooded our inboxes for a day or two and then seemingly disappeared. But behind the scenes our anti-spam technology caught up to the spammers and is now blocking their attack.
Here's our list of the top three tips on how you can help reduce spam:
- Limit who has permission to send to any mail lists you own. For more information, click here.
- Flag emails that you suspect are spam by clicking on the "Junk" or "Spam" button in your email client.
- Avoid replying to any messages you suspect are spam as spammers may use responses to validate your email address.
Why was a PDF attached to the email informing me of the privacy breach?
Due to the nature of the incident, we took a formal approach to communicating to the impacted users. In similar circumstances other organizations have distributed formal notices via PDF attachment and postal mail. As we do not have mailing addresses for the impacted users we sent only the PDF via email.
We have received similar feedback from others about the use of the PDF attachment, and we will consider how we use attachments in future communications.