back to article Brit uni blabs students' confidential information to 298 undergrads

The University of East Anglia has sent almost 300 undergraduates an email detailing other students' extenuating circumstances. The information was in an Excel spreadsheet attached to an email that ended up being sent to every undergraduates enrolled at the American Studies school through an email-all address. It included 42 …

  1. Anonymous Coward
    Anonymous Coward

    Another reason to ban Outlook.

    Convenience and email should never meet. Bad shit happens when they do.

    1. Anonymous Coward
      Anonymous Coward

      Re: Another reason to ban Outlook.

      Outlook isn't to blame, users are. We've had this happens plenty of times with recently trained staff using web based e-mail systems.

      What's started working for us it making the person who made the mess clean it up, having them SPEAK to the people affected as well as write to them. Other staff became more concerned when they realised they might have to go face to face with the person they'd leaked sensitive information about.

      1. TRT Silver badge

        Re: Another reason to ban Outlook.

        Outlook must be the only email system I've seen with a recall option. I obviously am wrong on this, but that's down to the fact that I've not seen every email system under the sun, only a few well used and popular ones.

        1. FuzzyWuzzys Silver badge
          FAIL

          Re: Another reason to ban Outlook.

          Recall only works when directly connected to Exchange servers. If you send an email out into the big wide world over to remote servers, recall won't work.

        2. Pascal Monett Silver badge

          Re: Another reason to ban Outlook.

          Outlook may indeed have a recall option, but that can only work for email sent to a recipient on the same mail network (ie an office colleague).

          As soon as your email leaves the domain it was sent to go to another one, your recall option dies.

          Edit: aaaand a FuzzyWuzzy beat me to the punch. Well done !

        3. Destroy All Monsters Silver badge

          Re: Another reason to ban Outlook.

          The "recall" option only works for the recipients on the same Exchange tenant though.

          The only way to make this kind of dumbass attack not happen is clear separationof concern in the office. You deal with the mental health spreadsheet, you physically go to another laptop in the office. And no sneakernet.

          We sadly read:

          Given the university is supposed to be making mental health a priority

          Only in the ago of diversity and social justice. Previously, the university was supposed to make teaching & research a priority.

          1. Prst. V.Jeltz Silver badge

            Luddite!

            " you physically go to another laptop in the office"

            really? do you want to go back to typewriters and paper too?

            1. Destroy All Monsters Silver badge

              Re: Luddite!

              really? do you want to go back to typewriters and paper too?

              Apparently it would be a very good idea.

          2. Rich 11 Silver badge

            Re: Another reason to ban Outlook.

            We sadly read:

            Given the university is supposed to be making mental health a priority

            Only in the ago of diversity and social justice. Previously, the university was supposed to make teaching & research a priority.

            Oh dear. Someone who is unable to recognise that it is possible to entertain more than one priority, possibly even ranking them in conditions where they might conflict.

            In your world, I expect someone with mental health issues is told 'Pull yourself together, man!' and that's the end of it. After all what do a few suicides matter once the university has already got their fees? And it's not like the late teens and early twenties are common ages when diseases like schizophrenia first manifest, is it?

            Maybe you'll have to wait until someone in your family dies before you start to wish that everyone had shown a little more awareness a little sooner.

          3. Thomas 6
            Flame

            Re: Another reason to ban Outlook.

            'A' priority, not 'THE' priority.

            1. P. Lee Silver badge
              Mushroom

              Re: Another reason to ban Outlook.

              >'A' priority, not 'THE' priority.

              Which would correctly tell you absolutely nothing. It is a priority, just slightly lower in ranking than cleaning my toenails.

              Forget banning Outlook, ban "Excel as a database".

              Ok, that's harsh. We just need Excel with a data store which isn't a file. Then at least you can keep hold of the access control even after the mail is sent.

              I was tempted to use the "c" word, but we probably don't need that kind of language around here!

              Mushroom c....

              A bit of DLP would be nice too. If you ditched the proprietary formats it would be even easier and cheaper to implement....

          4. Phil W

            Re: Another reason to ban Outlook.

            "The "recall" option only works for the recipients on the same Exchange tenant though."

            Sadly even that isn't true, at least up to Exchange 2013, not used 2016 yet. Recall with Outlook/Exchange requires that the recipient of the recall be using the Outlook client as well, if they're using OWA or connecting via IMAP they'll simply get and email saying "User <insert name here> would like to recall this message", it's only a running Outlook client that which actually process this and remove the message from the inbox. Or at least that's what uses to happen last time I looked into it, maybe it's been patched since?

          5. Naselus

            Re: Another reason to ban Outlook.

            "The "recall" option only works for the recipients on the same Exchange tenant though."

            Thing is, in this case they probably are. Most universities will just issue students an email account on their own infrastructure rather than sending email out to personal addresses.

            Of course, it's a bit late by then anyway.

    2. Anonymous Coward
      Anonymous Coward

      Re: Another reason to ban Outlook.

      So what mail client prevents you attaching the wrong form?

      1. I am the liquor

        Re: So what mail client prevents you attaching the wrong form?.

        If you make everyone send their emails by TELNETting to port 25 and manually typing the SMTP commands, they have to work a lot harder to send the wrong attachment.

  2. Doctor Syntax Silver badge

    They've less than a year to sort themselves out. Maybe they're one of these SMBs that hasn't heard about GDPR yet.

    1. Anonymous Coward
      Anonymous Coward

      It's a fair point. Under GDPR information of this sensitivity should never, ever touch a spreadsheet, let alone get emailed out en masse.

      1. TRT Silver badge

        You have no idea (or maybe you do) how mind rippingly annoying it is to carefully craft a web-app front end to an encrypted database designed to keep all this kind of information safe only to be asked (1) to code an excel download option and (2) see those data appearing unencrypted in spreadsheets on the shared folders.

        1. Anonymous Coward
          Anonymous Coward

          Unfortunately, I know exactly how annoying it is. It's something I've done more times than I care to recall. I have a thankfully now long-past history churning out Spring CRUD apps for enterprises of all sorts.

          If organisations don't start learning to say No to these kinds of requests they're going to get hammered by GDPR when they inevitably fuck up. They've got HR platforms, they've got ERP and CRM platforms. Those bits of software are all more than capable of sending emails securely from a vetted workflow.

          There's no excuse. This isn't some piddling SMB we're talking about. This is a university with 4,000 staff, 16,000 students and an annual budget of £250m.

          1. Anonymous Coward
            Anonymous Coward

            Those bits of software are all more than capable of sending emails securely from a vetted workflow.

            ERP systems are often a pile of cack for anything non-standard, but your point extends to the fact that they (apparently) didn't even have the file encrypted and protected. Admittedly that's a weak last line of defence, because busting an Excel password isn't that hard, but at least most people couldn't do it, or wouldn't bother.

            They deserve to be taken to the cleaners for this.

            1. Anonymous Coward
              Anonymous Coward

              Having it in a locally stored file at all is unacceptable, whatever the level of protection. Impossible to audit, impossible to secure, impossible to find and retrieve.

              Even under the current rules it's absurd. How would you capture a spreadsheet in an SAR?

            2. TRT Silver badge

              Have to agree that many organisations operate a monolithic structure where the ERP systems aren't flexible enough to do the job, but they're so insular and unmodifiable that for a rough and dirty report on, say, pay by gender, or pay by disability or amount of paternal leave taken, or percentage of students requiring special measures for exams, that it's often quicker, easier and within the DIY reach of a member of support staff to take the data through Excel to get the result.

              So often I get asked, "How quickly can you get a breakdown of historic research income by quarter separated by the gender ratio within the lab and gender of the lead investigator?" that when I reply "Two days, including testing, once I've finished this epic piece of coding I'll get straight onto it for you." I get "I could do that in Excel in, like, an hour".

              1. Doctor Syntax Silver badge

                So often I get asked, "How quickly can you get a breakdown of historic research income by quarter separated by the gender ratio within the lab and gender of the lead investigator?" that when I reply "Two days, including testing, once I've finished this epic piece of coding I'll get straight onto it for you." I get "I could do that in Excel in, like, an hour".

                It depends on how well you know your way round the schema. If all they want is a one-off you should be able to do it from a good SQL database in less time than Excel. It depends on your priorities and those you work with. They need to realise that if you're doing application coding and one-off queries.then the application coding is going to be delayed by a lot longer than the time you actually spend on the on-offs. However they might be OK with that.

                1. Jack of Shadows Silver badge

                  With my toolset ($20K total per seat) I can beat the Excel time handily even if I have to import the schema. Really depends on the amount of marveling at WTF cruft within. Counterpoint, they won't have bought these tools for their devs. Which is why I get bizarre requests from the odd establishment now and again.

              2. Captain DaFt

                -that when I reply "Two days, including testing, once I've finished this epic piece of coding I'll get straight onto it for you." I get "I could do that in Excel in, like, an hour".-

                "Then why are you pestering me for it, then?"

        2. Flywheel Silver badge

          Maybe encrypt the spreadsheet/document with sensitive content using a specific key pair before sending it as an attachment? At least the private key holder(s) could be identified and would only issue the public key to those that actually need it. It's not rocket science - it can be a pain, but not as painful as a breach like this.

      2. Anonymous Coward
        Anonymous Coward

        My uni stores all information on Google Docs spreadsheets it is only later entered into the database by admin.

        1. TRT Silver badge

          Oh Christ on a bike! It's almost as bad as doing everything in Word or Excel, stored on Sharepoint.

          I mean, why get people to complete the reams of paperwork required for a project specification as word documents which are then stored in a hierarchical folder based structure that varies around a core design depending on who the Project Administrator is? That administrator then has to copy the information from the word forms into PowerBi, which churns out an incomprehensible set of graphs and a pile of hyperlinks to other word documents. It's bizarre and archaic! But it's the latest thing. Apparently. Working stupid is the latest thing. Amazing.

  3. frank ly Silver badge

    Yeah, right.

    "Could you please delete this without opening/reading."

    I wonder how many did the decent thing.

    1. PickledAardvark

      Re: Yeah, right.

      If the university had done the sensible thing -- saying that a serious error had been made, explaining that the enclosure contained personal data about other students, suggesting that recipients should respect privacy -- the email would have been worthwhile.

      Don't send a message which might encourage inquisitiveness.

    2. smudge Silver badge

      Re: Yeah, right.

      "Could you please delete this without opening/reading."

      Doesn't exclude saving a copy!

  4. Terry 6 Silver badge

    Email lists

    Where there are email lists and confidential attachments available at the same time these things will happen.

    Since email software can identify key words and ask "did you want to attach something", at the very least, in 2017, it's shocking that there is no automatic message saying "This is an email list. Are you sure you want to send <attachment name> to everyone on this list?"

    1. David 138

      Re: Email lists

      Later versions of outlook say how many people are in the list. But it wouldn't matter people would just yes, yes, yes, yes, oops it anyway. Everything is vulnerable to stupidity.

      The information should have been encrypted.

  5. Anonymous Coward
    Anonymous Coward

    Did they not try to recall it or get IT to delete it? Obviously, that's assuming it's internal.

    1. Anonymous Coward
      Anonymous Coward

      Increasingly it's not, I do wish e-mail systems had a tick box for urgent e-mail which was disabled by default and an "undo" option for 15 mins on all other e-mail which users could control themselves.

      1. I am the liquor

        If you use Outlook you can set that up using a mail rule with the "defer delivery" action. Messages will sit in your outbox for the configured period before actually being sent.

        There's probably a good case for organisations to set up such a rule globally through group policy. It would be easy enough to make it conditional so that messages with the "urgent" flag don't get delayed.

  6. ArrZarr Silver badge
    Facepalm

    Er, no?

    Convenience and email shouldn't just meet, they should fall in love, get married and have a horde of kids. Removing this convenience would make even simple tasks, like keeping the team in CC and not forgetting anybody much more of a hassle so people wouldn't do it if they could get away with it which leads to fewer people being informed about relevant stuff which leads to confusion.

    Emails to the whole company about the office party? Congratulations. You just made the poor sod writing the email have to type 100+ names instead of using the staff distribution list.

    Edit: Oh bugger, this was meant as a reply to the first AC post

    1. Just Enough
      Facepalm

      "Edit: Oh bugger, this was meant as a reply to the first AC post"

      If you were making a point, you really should have replied this to every post.

  7. Fonant
    Alert

    Spreadsheet != Database

    The WTF for me is the fact that they're storing highly confidential information in a spreadsheet. And a non-protected one at that.

    This stuff should be stored very carefully, so that it cannot ever be accidentally sent to lots of people in a readable form.

    The fact that email is the messaging medium is pretty irrelevant, its the data storage that's the problem here.

    1. Doctor Syntax Silver badge

      Re: Spreadsheet != Database

      When all you've got is Excel everything looks like a spreadsheet.

      And some people just don't get anything else.

    2. Anonymous Coward
      Anonymous Coward

      Re: Spreadsheet != Database

      This is commonplace in all aspects of education, I've been working in a college for over 10 years and it all comes down to money.

      We have a student DB, but it's unwieldy, slow and crap. To get any changes made to it, you have to get the developer in to do a analysis, then the design, then the development, etc before it can be finally added and used.

      The admin staff know how to use Excel, filters and search. The DB, rubbish as it is allows exports so why not export student lists and create your own small list of students extenuating circumstances. And everything needs to be done yesterday so shortcuts always win

      1. Doctor Syntax Silver badge

        Re: Spreadsheet != Database

        "We have a student DB, but it's unwieldy, slow and crap. To get any changes made to it, you have to get the developer in to do a analysis, then the design, then the development, etc before it can be finally added and used."

        I wonder why anybody does analysis and design. Could it be to try to prevent this sort of thing?

        By letting - yes, there's an element of permission there, even if only be default - short-cuts to be taken your student DB is prevented from being improved. And so your management paints itself further into a corner so that, assuming you're in Europe, one day you find that you didn't really save money, all you did was postpone it until it was drained away in a big fine.

        1. FaintSoundOfHavoc

          Re: Spreadsheet != Database

          Yep, I'm UK.

          The DB does what management want, allows them to pull completion reports, results, stats and figures which are all sorts of mixtures of RAG colours but it's rubbish for teaching and support staff.

          Talking about saving money, my senior managers have lots of cash for constant moving around of departments and the associated building works that come with it, 4 years in a row I've had to move offices

          1. Doctor Syntax Silver badge

            Re: Spreadsheet != Database

            "Talking about saving money, my senior managers have lots of cash for constant moving around of departments and the associated building works that come with it, 4 years in a row I've had to move offices."

            Just moving around? Real managers would have had at least 3 reorganisations in that time?

    3. PickledAardvark

      Re: Spreadsheet != Database

      "The WTF for me is the fact that they're storing highly confidential information in a spreadsheet. And a non-protected one at that."

      Most likely, the data was extracted from several databases and merged into a spreadsheet for an internal meeting. The spreadsheet would have been stored on an internal share protected by Windows ACLs. It would have been protected by ACLs but somebody with access attached it to an email.

      Perhaps there is something wrong with system storage and OS design. If a user wishes to send or copy a document which resides in a special storage area, shouldn't the system protect the user from mistakes?

  8. andy 103

    And so it continues

    Who's seen a scenario like this before:

    1. Company invests in a system where its staff have to login to access certain data. The point being, anyone who should be able to access the data has access to the system, and nobody else.

    2. Someone (who may or may not have access to the system) requests some data.

    3. Someone - with access - exports data, and emails it to 2.

    4. You've completely negated the point of 1.

    Unfortunately people will always choose "convenience" over policy, or what's right. Until they personally get in trouble. But you know, they rarely do. And so it continues.

    And as for all that "this email is confidential so don't open it if it's not really for you" bullshit at the bottom. Yeah, good luck with that. That's a bit like saying if you find my PIN number written on the back of my card, please don't type it into an ATM. Too late at that point I'm afraid.

    1. Pascal Monett Silver badge

      Re: 3. Someone - with access - exports data, and emails it to 2

      It should be :

      3. Someone with access evaluates the legitimacy of the demand, seeks approval to gather the information and, only if approved, collates it and sends the data to (2)

      The problem is not being able to send the data - the problem is the usual lack of attention to context and detail that makes this kind of mistake possible.

      And no software, nor any amount of messagebox questions, will ever be able to circumvent the problem.

      1. andy 103

        Re: 3. Someone - with access - exports data, and emails it to 2

        "The problem is not being able to send the data - the problem is the usual lack of attention to context and detail that makes this kind of mistake possible."

        True. But it largely comes down to convenience for either the sender or recipient. Imagine if the recipient was sent a link to the secure system and they didn't have a login. They reply to the sender telling them they can't access it. Even if the sender can set them a login up, the sender doesn't want to deal with that "problem". So they just send the data in a format they know the recipient can open with no problem. In a similar way, people with legitimate access might say, oh I cba logging in to that, just send it me in something I can open directly. it happens ALL the time in business, trust me, I've seen it first hand in many different organisations - especially ones where it should not.

        Even if people are aware of what they're doing is wrong or against protocol, they will still do it, because they don't want (short term) hassle - usually from the recipient(s).

        1. Doctor Syntax Silver badge

          Re: 3. Someone - with access - exports data, and emails it to 2

          "Even if people are aware of what they're doing is wrong or against protocol, they will still do it, because they don't want (short term) hassle - usually from the recipient(s)."

          It's a matter of attitude. My last client before retiring took security very seriously because they provided secure services to clients. Irrespective of the inconvenience staff would observe secure protocols. As yet most businesses can get away without that. Gradually, as consequences get more serious and more widely realised things will improve. It'll just take bigger fines and more class actions before it happens.

          1. Terry 6 Silver badge

            Re: 3. Someone - with access - exports data, and emails it to 2

            The thing about taking time, doing things right etc is that every manager wants everyone to do that - except when it's something that they want done, now! and without making it difficult for themselves. Security, like chastity, is for other people.

  9. Lee D Silver badge

    - Poor data storage (spreadsheet for potentially medical information? No password? No encryption? Just one big spreadsheet for everyone? Hope it doesn't have macros neither!)

    - Poor data management (people just picking the document up and attaching to emails, no control or confirmation of outgoing attachment, no data control intercepts to spot multiple personal information leaving the site, no limit control on emails going out to 290+ students with an attachment?)

    - Poor permissions management (can just email out to groups of students with attachments? No having to post to internal services and link instead: "the document is available under your online account", etc.? )

    And all for what? A spreadsheet of their reasons for failling exams. Why is that even a spreadsheet? Why is it not contained in the MIS? Why is it not in the privileged area of the MIS? What service requires you to generate a list of every students extenuating circumstances in one place in plain-text, and why would you keep that around past submission over a secure channel?

    I'm guessing - based on working in schools for decades - that it's someone's pet project which they use and store separately because they can't work the MIS system, which they then email out to other people rather than them have to work out how to use the MIS. And they mis-hit and sent it to the group of affected students rather than the person they meant to inform of those students.

    There's really no excuse, and it's sloppy data management in human terms, which is indicative of much larger problems in terms of handling data. The fact that someone could generate such a list from, presumably, confidential form returns is just damning. Either those returns should be electronic and straight into the database and thus this was a specific "pull out everyone with this field because I want to read them all in one go" action, or they were collating them from some other service or typing-in which shouldn't be done with confidential records.

    I would expect fines on the order of 100's of thousands of pounds in such an instance. They are issued on that scale to schools and hospitals all the time, even if there's no proof that anyone else actually read them (e.g. missing encrypted CD's that you can't prove were encrypted in some cases).

    And that's a whole lot more expensive than teaching Joan in the office not to do that, or replacing her entirely (now an option) and getting an MIS that handles this stuff in a way that mass-queries are held securely rather than can be Excelled out of the organisation.

    1. Doctor Syntax Silver badge
      Devil

      "Hope it doesn't have macros"

      In this case a macro that downloaded ransomeware might have been just what you'd hope for. It might be extreme but it'd protect the data.

  10. Anonymous Coward
    Anonymous Coward

    This sounds like a process design fault, not just a opperational accident.

    Accidents happen, so the bigger issue is of course, why is this sensitive information kept in a apparently locally stored spreadsheet with the need to share it on email (after which you loose all track of what any recepient does with it).

    Even if you feel the need to use a spreadsheet for some sort of convenience, then still it should be stored in a central and protected location, and only the link shared. Then if the link accidently goes in a email to people who shouldn't have access to this information, they still can't get to it.

    1. Doctor Syntax Silver badge

      "This sounds like a process design fault"

      It sounds even more like lack of process.

    2. Hans 1 Silver badge
      Paris Hilton

      why is this sensitive information kept in a apparently locally stored spreadsheet

      why is this sensitive information kept in a spreadsheet

      TFTFY

      Store data in a SECURE database, create a ODBC/JDBC link to the database, use that in Excel .... don't have link to the database ? Cannot read data .... still locally stored excel file everyone is used to ...

      YET, why Excel ? Are they adding ailments, dividing by age, multiplying by date of birth or do they need pivot tables on this data ? Thought not ...

      Stop using Excel for stuff it was not designed for.

      1. Anonymous Coward
        Anonymous Coward

        I once - whilst working for a huge electronics retailer - received a presentation "designed" in Excel. I think they'd got some graphs they wanted to use, couldn't get them into Powerpoint, so moved all the text to Excel and just used one tab per page.

        I then received, from the same person, a list of stores with phone numbers, addresses etc in a table - that they'd pasted into Word.

        I contemplated writing my letter of resignation in Powerpoint to complete the trifecta.

  11. FuzzyWuzzys Silver badge
    Facepalm

    "Could you please delete this without opening/reading. Thank-you very much."

    What's the first thing you'll do?!! FFS!

    1. Anonymous Coward
      Anonymous Coward

      "Could you please delete this without opening/reading. Thank-you very much."

      What's the first thing you'll do?!! FFS!

      Save it, examine it, act on it. What else?

      1. 2+2=5 Silver badge

        > Save it, examine it, act on it. What else?

        Get infected by the virus, of course. :-)

    2. P. Lee Silver badge

      >"Could you please delete this without opening/reading. Thank-you very much."

      Should have read, "A spreadsheet possibly infected with the Wannacry ransomware has accidentally been attached. We recommend immediate deletion."

  12. Grease Monkey

    It's not outlook that's the issue here. It's working practices.

    Sensitive personal information should never find its way into spreadsheets at all. It should be stored only in secure systems and it should be very difficult to export such data from those systems in any form.

  13. Julian Bradfield

    I imagine that UEA uses Tribal SITS, so that'll be why people use spreadsheets.

    My university is paying vast amounts of money to Tribal so that they can hack, oops extend, SITS to handle our special circumstance casework, which at present is handled entirely locally within departments.

    1. Anonymous Coward
      Anonymous Coward

      Who wrote your requirements? A student data system unable to cope with mitigating circumstances casework? Your Uni is likely to be next...

  14. 0x41

    gg wp noobs

  15. Tim Jenkins

    That's going to be

    interestingly expensive for them. Nice big fine from the ICO PLUS a fair chunk of the named students reaching for personal injury lawyers, given the kind of intimate situations usually claimed as extenuating circumstances...

    (We had one such claim, back in the 90s, where the student stated the University had rendered them unable to complete their coursework owing to us restricting their IT access due to their taste for late-night viewing of inter-species relationship tutorials in the PC labs)

  16. Doctor Evil

    Necessary but not sufficient

    ""Could you please delete this without opening/reading.""

    Alternatively, if you have already opened it, could you please forget what you've read?

  17. PNGuinn
    Facepalm

    Database smaterbase - spreadsheet, smedsheet

    Hey - this is the University of the Inbred, NFN, is it not?

    Did they include the missing climategate fiddle factor?

    Enquiring minds NEED to know.

  18. Dan S

    Don't put names in the spreadsheet!

    I sit on a university exceptional circumstances panel. We get some really sensitive items. Our spreadsheets don't contain student names, we use an ID number that we can identify but students (or the wider world) cannot.

    I've dealt with a reply to all mailing list user error. Personally I think it was compounded by telling students not to read it and delete the email. What better way of making an otherwise dull email rather fascinating?

    1. Hans 1 Silver badge
      Happy

      Re: Don't put names in the spreadsheet!

      Personally I think it was compounded by telling students not to read it and delete the email. What better way of making an otherwise dull email rather fascinating?

      My thoughts exactly.

      I would have thought of something along the lines of: "A previous email of ours contained a contaminated Excel spreadsheet. If you have opened it, please come to the IT department asap, your data is at risk. If you have not opened it, delete the email and the attachment."

  19. Anonymous Coward
    Anonymous Coward

    Weird - when I was at UEA, it would have been way harder to do this using Elm for mail. Plus nobody would see it as none of the residences were networked so it was a trek to the library to use a computer.

    Mind you, that was..... *counts fingers*.... *runs out of fingers* *runs out of toes too*. Shit, that was years ago. I should have probably found a proper job and started paying back my loan by now.

    Actually, I do have a job. With a multinational telecoms company, who use Outlook. I don't know how they've screwed it up but every couple of weeks I get a spreadsheet meant for someone else, followed by a "User a.dickhead would like to recall message paydetails.xslx" so it's definitely not working here.

  20. Anonymous Coward
    Anonymous Coward

    East Anglia also takes a lot of well off students who couldn't get into Oxbridge

    HH1 "I say, Jonty's on a full scholarship like an oik."

    HH2 "I thought his pater was loaded. Drugs or guns or something."

    HH1 "True, but then he got his collar felt by the rozzers."

    1. EnviableOne Bronze badge

      Re: East Anglia also takes a lot of well off students who couldn't get into Oxbridge

      They got to Anglia Ruskin University so they can say they are at universaity in Cambridge

      or Oxford brookes for those of the other colour blue

  21. Anonymous Coward
    Anonymous Coward

    Was the wrong file attached to an email that was meant to be sent to all the mailing list, or more likely the email erroneously sent to the mailing list, probably as the result of auto-completion of the recipient address(es). It is not uncommon to select an address from the offered auto-completion list to then find that a mis-timed mouse movement has actually scrolled up/down to the next entry in the list.

    Whilst you would expect staff handling such data to be extra careful, at this time of year those involved are extremely busy with very tight deadlines to get exams marked and those marks processed (including any adjustments for extenuating circumstances) ready for exam boards.

    As has already been pointed out, whilst best practice would avoid the use of spreadsheets, the unwieldiness of university IT systems encourages such practices. Where I am we have 3 or 4 different systems tied to student records, exam and coursework marks and timetabling with all sorts of limitations, incompatibilities and synchronization issues . Whilst they are making efforts to update or replace legacy systems and produce a system that meets today's requirements it is a long slow process, not helped by the fact that those developing the new systems don't always appreciate that something that might work for a small department in humanities is completely impractical for a large science department.

    For our system that acts as the main portal for student coursework, timetabling, marks and feedback half the academics don't have the default access rights that the system developers expect as they can't be trusted not to mess things up, whereas because the permissions system is so complex, rather than spend ages trying to establish which of the ~100 permissions were required to enable me to manage timetabling issues our student office just gave me full departmental administrator access.

    From a security point of view that is completely inappropriate as it means I have full access to a load of confidential information that I have no need to access. From a personal point of view it is highly irritating as despite turning email notifications off, my mailbox gets inundated with messages about submissions, plagiarism checks and missed monitoring posts and exam mark uploads that are of no concern to me.

  22. EnviableOne Bronze badge

    Recall and spreadsheets not the issue

    One little tick box would have solved the issue

    In the send messages mail options "Use auto-complete list to suggest names when typing in the to, cc, and bcc lines." - untick this and users have to maually enter each address rather than jsut picking the top from the list, solves this and many accidental addressing issues.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019