Some Camosun College students had their student ID, name, and date of birth accessed in a data breach incident that happened earlier this year.
On March 10, 2023, Gallivan—a partner organization to the Camosun College Student Society (CCSS) that provides post-secondary organizations with health and dental plans—was notified about the breach. The data breach happened with file transfer software GoAnywhere MFT, developed by cybersecurity company Fortra; the vulnerability that led to the breach has impacted over 100 organizations worldwide.
An email was sent to the impacted students on July 19 from the CCSS on behalf of Gallivan. In the email, Gallivan states that the breach was reported to the Office of the Privacy Commissioner of Canada and provincial privacy authorities. (As of press time, Gallivan has not responded to requests for an interview with Nexus.)
A credit monitoring service, MyTrueIdentity, is being offered to impacted students free of charge for a 12-month period. Students who have minimal or no credit history, however, aren’t eligible for credit monitoring services; instead, a darkweb monitoring service may be available to them.
CCSS executive director Michel Turcotte says that students who were contacted regarding the breach shouldn’t panic due to the limited amount of information that was compromised, and he says there’s no evidence that the stolen data has been used.
“First, I’d like to say that any student that was impacted by the breach… knows about it because they were directly communicated to,” says Turcotte. “If a student hasn’t been notified, we don’t want to create some sense of panic, because they were not impacted by the breach… We know exactly who was, you know, potentially impacted. But that said, the data breach was as a result of a third-party software that was used by one of the partners which we work with to provide health and dental insurance to the students. And, we have to transfer some data so that the students can be enrolled with Canada Life [Insurance], and that special file transfer software was potentially impacted by a data breach.”
Turcotte says that the breach might have more to do with the persistence of hackers than the security of the GoAnywhere software that was compromised.
“The file transfer program that was impacted was considered to be one of the most secure in the industry by a major company whose business is providing internet security,” says Turcotte. “I mean, it’s a tricky world out there in terms of cybersecurity. So, I don’t know what more could have been done under the circumstances, because in order to do business and provide services, information of some sort needs to be transferred. And you can do everything you can, as was done in this case, to protect that data but sometimes if groups of hackers or nation-states or that sort of stuff devote enough energy, nowadays, you can brute force anything.”
To protect students, a new file transfer program is now being used; according to Turcotte, it’s also considered to be one of the best in the industry.
“It’s a scary world out there in terms of privacy and internet security,” he says. “The whole industry might be working towards finding better ways at securing data in general, or the public will have different expectations about privacy and those sorts of things. I’m not sure what’s going to happen, but a different program is now being used to transfer that information, and we hope it’s secure… It was selected by one of our partners, but it’s supposed to be also one of the best in the industry. There’s been a lot of work put into trying to make sure that this doesn’t happen again.”