Sensitive data about some of Pembroke College’s alumni from the 2021 telethon was made available to current Oxford University SSO users in a data breach. This included the full names, ages, addresses, and telephone numbers of alumni, alongside notes taken during calls held between telethon workers and alumni. The calling sheets also held information about previous donations made to the college by the alumni named, and the amount that the telethon workers were told to ask alumni for at the end of calls.
Alongside the alumni data, information about Pembroke College’s telethon training processes and admin was also made available to Oxford University SSO users. This included their gift form template, an information pack for telethon callers, the script that telethon callers were asked to follow, and the college’s training material. Cherwell could not find evidence of a similar telethon leak for any other Oxford colleges.
In their data protection policy for alumni, Pembroke College states that: “Our shared relationship management system, DARS, is hosted on infrastructure within the University of Oxford’s network and is protected by logical access controls. Access is limited to individuals who need to see and use the data to carry out their duties, and access rights are restricted according to individual job roles in order to ensure that users only see information that is relevant to them. All DARS users receive appropriate training, including training on data privacy, before being granted access.” The breach violated this policy.
A Pembroke College spokesperson told Cherwell: “On being alerted to this breach, which we now know arose out of a technical issue when the site was created, the College immediately secured the data and launched an urgent internal investigation. The source of the problem was identified as the technical set-up of a Teams site where alumni data sheets were shared with our student telethon callers.”
“The limited number of individuals, outside of the authorised group, who have been identified as accessing the data will be contacted to remind them of the consequences of the misuse of data, and we are contacting the alumni involved to apologise for this breach. Reports have been lodged with the ICO and will be lodged with the Charities Commission in line with our statutory duties. The College deeply regrets this incident. We take data protection very seriously and all relevant procedures are under review to ensure that they are robust for the future. The investigation continues.”
The University of Oxford has been contacted for comment.
Image Credit: Dave_S. / CC BY 2.0