University of Guelph students informed of data breach 5 months after events
Take action: It's bad form to delay data breach notification for 5 months. It's worse form to claim "timely notification is not our problem since the data breach was at a subcontractor".
Learn More
Students at the University of Guelph, (UoG) Ontario, Canada have been informed about a data breach involving a third-party security company used for secure file transfers.
The tool in question is GoAnywhere by Fortra and was used for transfers between Gallivan (the student health, dental, and wellness program provider), their administration systems, service partners, and the Central Student Association (CSA).
The breach occurred on March 10, potentially exposed personal information including:
- names,
- student numbers,
- dates of birth.
The number of impacted individuals is not disclosed.
On July 26 the subcontractor Gallivan assured students that they are not aware of any misuse of the information at present and are taking a proactive approach by providing information about the incident, their response, and steps to protect personal information.
The reason for the delayed notification was deflected by the UoG director of communications, stating that the third-party data breach falls outside the University of Guelph's systems, and inquiries regarding notification timelines should be directed to Gallivan.
