Open mailing lists have caused chaos across university email system, with sprawling reply all conversations clogging up thousands of student inboxes.
The original email was ironically from an anti-phishing training programme, with a link to training on a Moodle webpage. It followed a spate of phishing attempts on Lancaster students, with the aim of teaching students to better protect their own personal data. Despite a disclaimer on the original and genuine anti-phishing email, many students believed that it itself comprised a phishing attempt.
Attached to the email was a text file containing a link to Lancaster’s mailing list service, allowing students to see which mailing lists they are currently part of, as well as the message archives of the emails sent using the list.
Because of the open nature of the email list, massive reply all conversations swiftly took hold, with hundreds of emails sent before the threads were closed. Many of these emails were complaints about people choosing to reply all, while other students took the opportunity to plug their social media pages.
There were multiple mailing lists, which were suspended within half an hour of the sending of the first email. Lancaster’s Information, Systems and Services department (ISS) released the following statement:
“An issue with student research mailing lists relating to phishing training has resulted in students receiving multiple emails. We have taken immediate steps to suspend the lists, so these emails and responses to them should soon stop arriving in inboxes. We’re liaising with the list owners to investigate the cause of the issue, and apologise for the problems this has caused.”
A spokesperson for the university apologised, and denied that the breach could amount to a breach of GDPR regulations, the new European data-protection act that can enforce fines of up to £20 million on offending bodies:
“Students were emailed on Thursday as part of a legitimate research project designed to raise student awareness of the problem of phishing and promote training.”
“A technical error resulted in students being able to respond to all recipients of the email. The University’s data protection officer has been made aware of this issue, however as no personal data has been disclosed in the emails we can confirm that there has been no breach of student personal data or the General Data Protection Regulation(GDPR).”
“We took immediate steps to suspend the email once the error was reported and we are investigating the cause. We apologise for the inconvenience this has caused.”