Sudbury

Accessing 2,000 personal records 'exceptionally easy' says Laurentian student

Laurentian University says that a web security breach exposed the personal information of some 2,000 staff and students. The Laurentian student who says he's behind it, says he was only trying to help the university improve its systems.

University notified staff and students about breach in January

Spencer Brydges has pleaded guilty to mischief for hacking into the Laurentian University computer system when he was a student in 2017. (Erik White/CBC)

It was on a Friday night in January, that Spencer Brydges realized he could see things he wasn't suppose to in the Laurentian University computer database.

He says he was following up on some vulnerabilities he had noticed a few weeks before and now found he could access personal records including passwords, phone numbers, grades and whether or not a student had been to see a counsellor.

"Yeah, it was exceptionally easy. Trivial almost," says the comptuer science student.

"I did have access to pretty much the whole system. People's privacy was at risk, but that wasn't my intention."

Brydges says he wrote up a report and send it to the university's information technology department, something he says he had done a few years earlier when he was able to access the Laurentian parking database.

He says the university has launched an investigation and contacted Greater Sudbury Police, which is also investigating.

Brydges says he has been temporarily banned from the Laurentian campus during the investigation, but is continuing his studies remotely.

"This isn't the response I was looking for. And the fact of the matter is, I do believe at the end of the day that this would be appreciated," he says.

Alex Freedman is the chief of staff at Laurentian University. (Laurentian University)

'We do everything we can to make sure the information is safe'

A letter was sent to all the Laurentian employees and students whose information may have been compromised.

"Although it is our view that the acts of the unauthorized student were malicious, our current belief is that your personal information was not accessed for the purpose of identity theft," reads the letter.

Laurentian Chief of Staff Alex Freedman says while at one point they thought the intention may have been to change grades, that has been ruled out.

"What we found is that they were likely doing this to prove a point," says Freedman.

I don't think any organization anywhere on this planet would be able to say all our information is always secure.- Alex Freedman, Laurentian University Chief of Staff

He says the university, like most large organizations today, are under constant threat of cyber attack and this breach shouldn't be seen as a sign that Laurentian is especially vulnerable.

"We do everything we can to make sure the information is safe and we take the privacy of the information contained in this university very seriously," says Freedman.

"I don't think any organization anywhere on this planet would be able to say all our information is always secure."

Brydges says he isn't upset about Laurentian's response and is confident that the investigation will find that he did nothing wrong.

"They don't know what I could possibly know about students, what I could have on students," he says.

"I'm going to give them some leeway."

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.