Brandon University is dealing with the aftermath of a major security breach.

The university sent a letter to students last week, informing them that one of their servers had been hacked and student information had been accessed.

Staff found out on Oct. 14 and immediately took the university's website offline and called police.

They also contacted provincial privacy officials and got in touch with security experts, who found only one of the school’s 40 servers had been breached.

University president Deborah Poff said officials learned of the breach when they received an email from the hacker.

"We thought the easiest thing to do was ask the individual to give us some evidence that this is the case, and on that day they did, so we knew that at least one record had been accessed," she said Wednesday.

Student union unhappy with delay

The security breach meant students couldn’t access the university’s website or their online programs for several days.

Student union president Stephanie Banchewich said she’s not happy it took officials four days to inform students about the issue, and she said there are still a lot of unanswered questions for students.

Brandon University

Brandon University suffered a security breach on one of its servers on Thanksgiving Day. (Google Street View)

"We're obviously concerned. We feel it should be the priority of the university to ensure that our information is secured," she said.

Poff said students were notified as soon as possible, but officials needed time to determine exactly what happened so they could provide accurate information.

"We actually had to tell people what was true, and we had to establish what was the case," she said.

"Just to tell them that something happened — we're not sure what — wouldn't have been a very reassuring or confident kind of message to give."

Brian Bowman, a privacy lawyer based in Winnipeg, says private-sector companies and institutions like Brandon University are currently not required by law to notify individuals of security breaches.

"There's no expressed legal obligation to notify people. That being said, it's obviously a good best practice and ethically it's the appropriate thing to do," he said.

Bowman said that will soon change, as a bill that was recently passed in the Manitoba legislature will require anyone in the private sector to disclose privacy breaches.

Information from student applications accessed

The university sent out another release on Wednesday, saying personal information in student applications from 2004 to 2009 had been accessed by the hacker.

Officials said a “test database” that had real and fake student information was being used to develop new web tools for the university, and that database was what was accessed.

They assured students no financial information or academic records were involved in the security breach, but conceded that social insurance numbers, names, birth dates and other information was stored in the database.

News of the security breach has students like Taryn Jackson, a third-year music student, worried about what types of information the hacker may have about her.

"Email addresses, phone numbers, you submit your SIN number for tax records and things like that," she said.

"I've also been employed by the university, so they have a lot of my information that way. Definitely concerning."

Students whose information may have been accessed are now being contacted.

University officials and police are investigating.

Bowman said whenever names, home addresses, financial or health information is comprimised, those affected become vulnerable to identity theft.

"One of the worst fears that folks have when there's any information data breach, of course, is identity theft," he said.

"Even short of identity theft, the types of things that folks will be fearful of is any loss of financial information, health information."

Bowman said people should always monitor their credit and billing information for any suspicious activity.