Update: This article was originally published with the statement that students’ ID number, name, email, address and/or date of birth were compromised. This is incorrect. Only the students’ name, ID number and date of birth were included in the breach.
Personal information of some NAIT students was compromised in a data breach from a third party security company used by Gallivan, NAITSA’s student benefits provider.
In an email on July 19, Gallivan informed impacted students of “an incident that may affect the privacy of [their] personal information.” The breach included students’ name, ID number and date of birth. Gallivan first learned of the data breach on March 10, 2023 by a third-party security company used for secure file transfer of data.
Gallivan has since discontinued use of the third-party service, which was “used to confirm [students’] enrolment or opt-out status of [their] student health and wellness program.” They have also reported the incident to the Office of the Privacy Commissioner of Canada and relevant provincial privacy authorities.
“I was a little bit annoyed because like, I was not expecting my private data to be spread out across wherever it got spread,” said Fraser Sockett, a NAIT student.
According to the email to impacted students, Gallivan is unaware of misuse or exposure of the leaked data, but explained that it could still be used for “fraudulent purposes, including theft.” As a result, Gallivan will provide eligible students free access to an online credit monitoring service, myTrueIdentity, for 12 months. This service will email students’ about “critical changes to [their] TransUnion Credit Report.” Students under 18 or without extensive credit history will be given access to a dark web monitoring service.
Sockett said he’s “not too concerned” about the breach, primarily because he already takes steps to protect his online identity. He’s more concerned about students who aren’t familiar with identity theft or how to protect themselves.
“All the data could easily be used in a phishing email, like scammers could easily use a NAIT or NAITSA letterhead on emails with a link to a bogus site that would be able to just steal their information if they typed in the correct information,” said Sockett.
NAITSA addressed the data breach in a statement, assuring that NAITSA “takes the protection of [their] students’ data seriously.” While they called the news of the breach “initially concerning,” the statement explains they are confident in how Gallivan handled the situation.
Sockett, however, was unhappy with the length of time between Gallivan learning of the breach and when they informed students. “It’s been four months, which is kind of unacceptable. Honestly, for a tech company, they should be on it a lot more than they were.” Gallivan did not respond to request for comment.