The quango that channels government loans and grants to UK students has launched an internal investigation after it attached the email addresses of more than 8,000 students to a mass email.
The Student Loans Company (SLC) was emailing the students to remind them to complete their finance applications, but "mistakenly included a spreadsheet containing the 8,400 student email addresses [it was] contacting", the non-departmental public body admitted on Wednesday.
"We would like to apologise to those customers whose email addresses were disclosed to other students," company secretary Chris Andrews said in a statement. "The Student Loans Company takes the security of student accounts and the protection of personal information very seriously and we have strict procedures in place to protect customer details."
"We have now launched our own internal investigation into the causes of this breach," Andrews added.
The SLC first confessed to having made the data breach on Monday, when it stressed in a separate statement that "no other personal student data", apart from the email addresses, was divulged.
Apart from now having opened up an internal investigation, the SLC said it had also contacted the Information Commissioner's Office (ICO) and the Department for Business, Innovation and Skills to notify them of the incident.
The SLC episode was not the first major data breach this year that involved public bodies and scores of email addresses.
An arguably more serious incident took place at the start of February, when the Metropolitan Police included the email addresses of 1,136 crime victims in the visible CC field — rather than the hidden BCC field — of a mass email survey.