University Fined £120,000 Over ‘Serious’ Security Breach

The Information Commissioner’s Office (ICO) has fined the University of Greenwich £120,000 following a “serious” security breach that exposed the personal details of nearly 20,000 people.

The ICO said it was the first time a university had been fined under the existing data protection rules, dating back to 1998.

The breach took place after a student and an academic created a microsite for a training conference in 2004.

Following the event’s conclusion, the site was neither closed down nor secured, and was compromised in 2013.

Systems breach

In 2016 multiple attackers exploited the vulnerable site to gain access to other parts of the university’s network. They gained access to the contact details of 19,500 people, including students, staff and alumni. That data included names, addresses and telephone numbers, the ICO said.

But 3,500 of the records also included more sensitive data on extenuating circumstances, details of learning difficulties and staff illness records. The information was posted online.

In one example, the breach disclosed the fact that a student had a brother who was fighting in a Middle Eastern army and references were made to an asylum application.

One of the students involved discovered the breach and reported it to the ICO and the BBC.

The microsite was developed without the university’s knowledge, but the ICO said it was nevertheless the university’s responsibility to take responsibility for security throughout the institution.

The ICO said it found the university didn’t have appropriate technical and organisational measures in place for ensuring security.

Overhaul

“Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress,” ICO head of enforcement Steve Eckersley said. “The nature of the data and the number of people affected have informed our decision to impose this level of fine.”

The University of Greenwich said it would not appeal and would take advantage of a prompt payment discount to reduce the fine by 20 percent to £96,000.

It said it had carried out an overhaul of data proctetion and security systems.

“No organisation can say it will be immune to unauthorised access in the future, but we can say with confidence to our students, staff, alumni and other stakeholders, that our systems are far more robust than they were two years ago as a result of the changes we have made,” said university secretary Peter Garrod.

Data protection agencies in Europe are to be given far greater powers to fine offenders under the General Data Protection Act (GDPR), which takes effect on 25 May.