University data breach

With GDPR still getting attention, here’s news that the Information Commissioner has fined the University of Greenwich over a significant data breach that happened in 2016.

Greenwich University fined £120,000 for data breach
The fine was for a security breach in which the personal data of 19,500 students was placed online. The data included names, addresses, dates of birth, phone numbers, signatures and – in some cases – physical and mental health problems. It was uploaded onto a microsite for a training conference in 2004, which was then not secured or closed down.

The Information Commissioner said Greenwich was the first university to receive a fine under the Data Protection Act of 1998 and described the breach as “serious”.

[…]

In a statement, the university said it would not appeal against the decision.

It said it had carried out “an unprecedented overhaul” of its data protection and security systems since the discovery of the breach in 2016, and it had invested in both technology and staff.

So the personal data was added to a website in 2004 and left there for 12 years until the breach was discovered?

The University of Greenwich fined £120,000 by Information Commissioner for “serious” security breach
The investigation centred on a microsite developed by an academic and a student in the then devolved University’s Computing and Mathematics School, to facilitate a training conference in 2004.

After the event, the site was not subsequently closed down or secured and was compromised in 2013. In 2016 multiple attackers exploited the vulnerability of the site allowing them to access other areas of the web server.

A timely warning for others, I guess. Under GDPR, these fines could be significantly higher.

Author: Terry Madeley

I work with student data and enjoy reading about art and design, data, education and technology.