Incident Notice: Food Bank

UOSU-Header

Incident Notice: Food Bank

The University of Ottawa Students’ Union (UOSU) wishes to notify Food Bank users of incidents involving personal information provided to the University of Ottawa Students’ Union Food Bank (UO Food Bank). We take our responsibility to protect our members’ personal information seriously, and we sincerely regret that these incidents occurred.

What happened?

The UO Food Bank is operated by the UOSU. The UO Food Bank uses Google Forms to obtain requests for food (Food Order Form) from UOSU members. An employee of the UOSU mistakenly and unintentionally configured a Google Form so that it contained a link entitled “See previous responses”. By clinking on the link, those accessing the page would be able to view the information of individuals who had previously completed the form.

This information was available from December 7, 2020 to January 5, 2021. The Food Order Form was removed from the UO Food Bank website immediately upon the identification of the issue.

Further, it came to our attention on January 11, 2021 that a previous form used for deliveries during the summer months may have been subject to a similar disclosure. The information on this form was available from October 15, 2020 at the earliest to January 5, 2020. The form was similarly removed upon identification of the issue.

What information was involved?

The completed Food Order Forms used for this Fall contained the following information: name; email address(es); student number; language preference; food choices; phone number (if provided); pick-up date and time; whether you agreed to wear a mask; feedback (if provided).

The completed Food Order Forms used for this Summer contained the following information: name; email address(es); student number; language preference; food choices; reasons for the order; phone number (if provided); pick-up method, date and time; whether you agreed to wear a mask; delivery address (if provided); feedback (if provided).

How many individuals were affected?

A total of 94 individuals completed the Food Order Form used for this Fall. A total of 159 individuals completed the Food Order form used for deliveries this summer. Some individuals may have been affected by both breaches.

What are we doing?

The “See previous responses” link was immediately removed from the UO Food Bank website.

We have arranged and paid for Equifax to provide those affected with a one (1) year subscription to their Complete Premiere Credit Monitoring and Identity Theft Protection Service.

We are taking steps to ensure that such an incident does not occur again, including revising our processes for collecting personal information to reduce the risk that personal information could be mistakenly made available to unauthorized individuals.

*Individuals affected will directly receive a communication from the UOSU shortly.*

Next steps?

  • Instructions on how to enroll in the Equifax program free of charge: affected students will shortly receive instructions on how to enroll in the Equifax program free of charge.
  • Credit Monitoring and ID Protection: affected students are asked to enrol in the Equifax Complete Premiere credit monitoring and Identity theft protection service
  • Watch for Phishing: Affected students are asked to be alert for “phishing” emails or text messages by someone who acts like they know them and requests sensitive information over email, such as passwords, Social Insurance Numbers, or bank account information. Do not open attachments or click on links in emails or text messages from senders that are unknown or are unexpected. Review email addresses and the names in links to ensure that they have not been modified. It is common for a malicious actor to slightly alter an email address or a website link in the hopes that the reader will not notice. Do not respond to unsolicited offers of financial assistance that appear to be from the UOSU or anyone associated with us.
  • Review Statements: Remain vigilant against potential identity theft or fraud. Regularly review and monitor account statements and credit history for any signs of unauthorized transactions or activity.
  • Free Credit reports: Canadians are entitled to obtain a free credit report from each of Equifax and TransUnion to review their credit file for signs of fraud or identity theft. This is in addition to the Complete Premiere Credit Monitoring and Identity Theft Protection Service that is being provided free of charge by the UOSU to affected students.
  • Fraud Alerts: Affected students may also consider placing a fraud alert on their credit file that requires businesses to verify their identity before issuing a credit. Students may arrange for this service directly through the credit reporting agencies listed above. There is a charge of this service and it can only be made available to a person with their express consent.
  • Report Identity Theft or Fraud: If an individual suspects that they may have been a victim of identity theft or fraud, they should consider contacting their local police and visit the Canadian Anti-Fraud Centre for support (http://www.antifraudcentre-centreantifraude.ca). They should also review the RCMP’s Identity Theft and Identity Fraud Victim Assistance Guide for steps they can take if they are the victim of identity theft or identity fraud. Visit www.rcmp-grc.gc.ca/scams-fraudes/victims-guide-victimes-eng.htm.

Who can I contact for further information?

If you have any questions about this incident, please contact Tim Gulliver, Advocacy Commissioner (819-588-2513).


This incident notice was amended at 7:30pm, on January 11, 2021.