LUSU has reported a data breach in its wholly-owned subsidiary company, LUSU Living, to the Information Commissioner’s Office (ICO). At least one file containing details about the landlords LUSU Living works with was accidentally attached to an exchange of emails with a student. According to a statement on their website, LUSU ‘has taken immediate action to minimise the breach and ensure that the file has been deleted.’ They also stated that no data about tenants had been released.
The Tab Lancaster reported that the file contained information on over 160 properties, including landlords’ addresses. A source told The Tab that the breach also contained information about landlords’ profit margins, and that they were ‘rather high’. This is embarrassing if true, as it comes just days after LUSU announced their hypocrisy on third-term rent: they were campaigning for the University to waive it while insisting that ‘Tenants with LUSU Living must still pay their rent for term 3 in line with their contracts.’
LUSU Living is the trading name for a company called L.U.S.U. Housing Ltd. Its current directors are the interim CEO Misbah Ashraf, the Financial Controller Jane Morgan-Jones, and the LUSU President George Nuttall. The Vice President (Union Development) is also, typically, a director, but that position has been left vacant since Hannah Prydderch’s resignation in March. Matthew Ward, LUSU’s Housing Manager, is responsible for a day-to-day running of the company. In the 2019 accounts, LUSU Living reported a turnover of £3.6 million and a net profit of almost £270,000, down on £370,000 in 2018. LUSU Living takes up, therefore, a significant part of LUSU’s annual £8+ million turnover.
LUSU Living was condemned at the LUSU AGM in October 2019 as one of the most ‘notoriously poor’ landlords in Lancaster. Questions have previously been asked whether it is ethical for a charity that is apparently concerned with the welfare of its members to operate a lettings agency in order to exploit them. The refusal to waive rent combined with this data breach will be unlikely to allay fears.