Notice of Data Breach - BeMore Platform

What happened?

  • An email was received by the Student Groups team on 7th May 2019 at 21.51pm which was read on 8th May 2019 at 9.20am.
  • This email highlighted an issue on the Union’s training platform, Be More, whereby some personal data could be viewed by visitors to the site.

What data was visible?

The data that was compromised was low risk to the rights and freedoms of individuals and included:

  • Name
  • Email address (668 personal or work emails)
  • Student ID (in cases where a student email address had been used)
  • Mobile phone number (1543 individuals)

Why is this low risk?

The report of this breach highlighted that it was possible to establish the URL of individual profiles for users of the platform which contained some or all of the above data.

Access to these URLs required prior knowledge of either the data subject’s name or student number which would, therefore, mean anyone accessing the data would also already be able to ascertain the email of the data subject.

The individual profile URLs also varied depending on how the data subject registered to the platform, and so there is no clear pattern that could be followed to access the profiles of all users.

What is happening next?

  • We have removed individual profiles so that they are no longer visible.
  • We have removed the leaderboard page where this breach was first identified.
  • Individuals are still able to view their own profiles in order to access their training records and certificates.
  • We are in the process of updating the platform to include a link to the Union’s privacy policy and the usage of this data upon registration.
  • We have contacted the limited number of individuals who have been directly affected by this.
  • We have published this article under the principle of transparency.

If you have any further questions please contact the Union’s Data Protection Officer at dataprotection@upsu.net.