“Nothing screams carelessness and incompetence like the SUS vp external commit[t]ing privacy law violations,” an anonymous poster said on the Facebook page UBC Confessions in early March.
The post claimed that VP External of the Science Undergraduate Society (SUS) Shovon Das had accidentally sent out a mass email to UBC science students in the Blue Card Program without using the blind carbon copy (BCC) function, leading to the leak of around 200 student emails.
In the comment section of the post, Das posted an apology saying he was “incredibly sorry” and explained that when he sent the emails “it was 3am in the morning, [he] was not functioning properly.”
Das did not respond to The Ubyssey’s request for comment.
The Ubyssey also reached out to SUS President Julia Chai for an interview, who said she “would be speaking on behalf of [Das] and SUS as a whole.”
Chai confirmed that the incident took place as the confession post described. She explained that while writing the email, Das had accidentally put student email addresses into the CC function, which led to the leak.
She noted that the SUS has not received any formal complaints.
On measures to amend the mistake, Chai said that the SUS has sent out an email to the affected students notifying them of the mistake.
She added that the SUS was working with the AMS Privacy Officer to look into tools and procedures that would prevent future reoccurrence of privacy breaches, such as using software that allowed BCC emails to be sent out automatically rather than through manual input. They will be meeting this week.
When asked whether there would be disciplinary action, Chai restated that the SUS was working with the AMS to prevent future incidents and that they are currently prioritizing student privacy.
In an email statement to The Ubyssey, AMS Marketing & Communications Manager Eric Lowe said “the AMS takes protection of student information very seriously” and confirmed that the AMS Privacy Officer has been in discussion with the SUS regarding the leak incident.
Lowe said the Privacy Officer’s investigation was not complete yet so he could not provide any specifics on the measures to be taken by the AMS.