[Disclaimer: This Post is based on a real incident I encountered but the writing was assisted with generative AI (ChatGPT) but edited by myself because the phrasing used by ChatGPT were not typically how I would phrase some of the experiences.]
It started with two emails from students, and little did I know, it would be another chasing our own tail situation where the folks of the institution were again, “scoring own goals”.
The students had written in the IT helpdesk which referred their concern to the IT Security Team. They were concerned that their school email accounts might have been compromised. The students had received notifications about being enrolled in an e-learning application—something they had no prior knowledge of.
To make things worse, their names in the emails were incorrect. Naturally, they assumed their accounts had been hacked which then made it appear to be an IT Security incident.
The first thing we checked was the legitimacy of the e-learning vendor. After some digging, we confirmed it was a well-known and trusted publishing company, i.e. it appeared to be bona fide but it did not explain the mismatched names or why the students had not been informed.
I started piecing together a hypothesis. Perhaps the academic staff had provided the students’ names and emails to the vendor to onboard them into this application but had not informed the students. As an ex-internal audit head, I have seen situations where names and emails could have been wrong because someone deleted a cell in an Excel column which resulted in the data not being “aligned” to the correct record.
The errors in the names might have been simple transposition mistakes. At this point, it seemed like a plausible explanation, but we needed more clarity.
The turning point came after we checked in with the students and connected with the academic staff. As it turned out, my hypothesis was fairly close to the truth. The academic staff had sent the names and emails of students to the e-learning vendor. However, they had not informed the students about the enrollment process. Somewhere along the way, mistakes were made in the student names during data submission. While the email addresses were correct, the names did not match, causing confusion and triggering the students’ concerns.
The entire incident could have been avoided with better communication and a bit more care in handling the data. Instead, it escalated to my team, consuming time and resources that could have been better spent on genuine security concerns.
Reflecting on this, a few lessons stand out. First, transparency is non-negotiable. Informing stakeholders—in this case, the students—about new applications or processes could have prevented all this confusion. Second, accuracy matters. Small errors in data handling might seem insignificant, but they can erode trust and create unnecessary alarm. Lastly, collaboration between departments is critical. When academic staff, IT teams, and external vendors fail to align, situations like this are inevitable.
This experience was a reminder that not all IT security incidents involve malicious hackers or sophisticated cyber threats. Sometimes, our biggest challenges come from within—missteps that could be avoided with proper communication and processes.
Have you ever faced a similar situation? How do you ensure alignment across teams to avoid these “own goals”? I’d love to hear your thoughts.
#CyberSecurity #ITSecurity #TransparencyMatters #LessonsLearned #ShenanigansInSecurity
Leave a Reply