UCDSU halts all student Leap Card applications after data protection issue

31 Aug 2018

Image: Luke Maxwell

Students who apply for a student Leap Card online can have all their personal details read by a college agent due to a data protection oversight.

Anyone currently looking to secure a student Leap Card from an agent at University College Dublin (UCD) will not be able to do so as its students’ union announced it has suspended all sales of the card until further notice.

The issue arose after it was revealed yesterday evening (30 August) by The Irish Times that the online ordering system for the travel card contained a serious data protection flaw, which could allow a college agents read all of the student’s personal details, as well as those of others on the system.

Developed by a firm called Fimak Group, the online application system works by asking the student to submit their details online and, once completed, they will be sent a six-digit PIN. The student then submits this PIN to the college agent, who enters it into a system and prints off the card.

However, as the agent enters the digits of the PIN, a considerable number of other applicants who happen to have similar numbers at the beginning of the code also appear before the full code of the original applicant is entered.

Fear of stalking

It is understood that UCD’s students’ union (UCDSU) raised the issue with Fimak in May, saying such a system could be abused by an agent and was a breach of data protection regulations.

Responding to the union at the time, Fimak said that its system was approved by the National Transport Authority (NTA) and was “fit for purpose”.

While admitting that it would be reviewed on an ongoing basis, Fimak said that its current system “will stay as it is”.

Earlier this month, however, emails sent to UCDSU by the NTA agreed with the union’s concern and said that fixing the issue should be of “category-one importance”.

Fimak so far has declined to comment on the allegations.

UCDSU president Barry Murphy said it will continue to suspend all new applications until the issue has been resolved. “[A] student could end up being spammed, meaning there could be identity tests,” he said.

“If someone took a shine to how they look, they could find out where they live and they can also look at a picture of them and they could end up stalking them.”

Updated, 11.11am, 31 August 2018: This article was updated to correct a spelling error and clarify that the firm behind the development of the Leap Card online application system is the Fimak Group.

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com