University of Greenwich fined £120,000 for breach of sensitive data

Data breach exposed students' health data via unsecured microsite

The University of Greenwich must pay a 120,000 fine after an unpatched security flaw led to the leak of students' and staff's personal data.

Nearly 20,000 people were affected by the "serious breach", which occurred in 2016 when hackers discovered a vulnerability in an unsecured microsite built back in 2004.

Advertisement - Article continues below

The exposed data included names, addresses and phone numbers, but also sensitive information on 3,500 people that concerned details about student's extenuating circumstances, learning difficulties and staff sickness records.

While the microsite was built specifically for a training conference at the university's Computing and Mathematics School, which was devolved at the time, it was never shut down or made secure, and was first compromised in 2013.

Hackers then used the same vulnerability to access the web server, gaining access to 19,500 staff and students' information.

"Whilst the microsite was developed in one of the university's departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution," said Steve Eckersley, head of enforcement at the Information Commissioner's Office (ICO).

"Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The 120,000 penalty is the first the data protection watchdog has issued to a university under the Data Protection Act 1998, out of a maximum 500,000 fine it can impose.

However, new EU data protection rules come into force on Friday that introduce higher sanctions. The General Data Protection Regulation (GDPR) will allow regulators to fine organisations that suffer data breaches a maximum of 20 million, or 4% of their annual turnover.

When IT Pro reported on the breach at the time, university secretary Louise Nadal called it "a serious, unprecedented error", and said she would conduct an investigation into what happened.

In response to the ICO fine, university secretary Peter Garrod outlined the results of that review, including new investment and an overhaul of the university's security practices.

"We acknowledge the ICO's findings and apologise again to all those who may have been affected," he said in a statement. "Since 2016 when the unauthorised access to some of the university's data was discovered, we have carried out a major review of our data protection procedures and made a number of key changes.

Advertisement - Article continues below

"Specifically, we have invested significantly in new technology and staff; overhauled the information technology governance structure to improve internal accountability; and implemented new monitoring systems and a rapid response team to anticipate and act on threats."

He added: "No organisation can say it will be immune to unauthorised access in the future, but we can say with confidence to our students, staff, alumni and other stakeholders, that our systems are far more robust than they were two years ago as a result of the changes we have made. We take these matters extremely seriously and keep our procedures under constant review to ensure they reflect best practice."

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement

Recommended

Visit/security/ethical-hacking/356252/poorly-secured-banking-apps-lead-to-cyber-threats
ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020
Visit/security/malware/356231/most-malware-came-through-https-connections-in-q1-2020
malware

Most malware came through HTTPS connections in Q1 2020

25 Jun 2020
Visit/security/phishing/356211/phishing-attacks-target-unsuspecting-wells-fargo-customers
phishing

Phishing attacks target unsuspecting Wells Fargo customers

24 Jun 2020
Visit/security/hacking/356210/trump-administration-wants-to-enhance-the-security-of-gov-sites
hacking

Trump administration wants to enhance the security of .gov sites

24 Jun 2020

Most Popular

Visit/business/business-operations/356395/nvidia-overtakes-intel-as-most-valuable-us-chipmaker
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020