Uni. of Greenwich fined for personal data breach
The University of Greenwich has been fined £120,000 by the Information Commissioner’s Office following a ‘serious’ security breach that involved the personal data of nearly 20,000 people – among them students and staff.
Also a registered charity, the academic body is the first university to have been fined by the Commissioner under the existing data protection legislation (Data Protection Act 1998).
The Information Commissioner’s investigation centred on a microsite* developed by an academic and a student in the then devolved University’s Computing and Mathematics School, to facilitate a training conference in 2004.
After the event, the site was not subsequently closed down or secured and was then compromised in 2013. In 2016 multiple cyber-attackers exploited the vulnerability of the site, which allowed them to access other areas of the university’s web server.
The personal data included contact details of 19,500 people – including students, university staff and alumni – such as names, addresses and telephone numbers. However, around 3,500 of these included sensitive data such as information on extenuating circumstances, details of learning difficulties, and staff sickness records – and was subsequently posted online.
“While the microsite was developed in one of the University’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution,” said Steve Eckersley, Head of Enforcement at the Information Commissioner’s Office. “Students and members of staff at University of Greenwich had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data, and the number of people affected, have informed our decision to impose this level of fine.”
The Commissioner found that the University of Greenwich did not have in place appropriate technical and organisational measures for ensuring, so far as possible, that such a security breach would not occur – i.e., for ensuring that its systems could not be accessed by attackers.
In a statement, the University of Greenwich said that since the 2016 breach occurred, it has ‘taken a number of significant steps to enhance its data protection procedures’. These include:
- Making major investments in new security architecture, tools and technologies.
- Hiring new dedicated internal experts whose sole focus is information security.
- Conducting vulnerability testing across the entire organisation every day.
- Making information security training mandatory for all staff.
- Reforming the system of internal IT governance.
- Developed a rapid incident response to tackle threats as they arise and quickly learn lessons from incidents.*