In one of the last data breach fines to be handed down in a pre-GDPR Europe, the University of Greenwich has been ordered to pay a £120,000 fine to the Information Commissioner’s Office. The breach in question stemmed from a micro-website set up by students in 2004, and ultimately resulted in the details of 20,000 staff members and students being leaked online.
The University of Greenwich, in London, has accepted that it was responsible for the incident, and intends to pay the fine immediately.
Back in 2004, the university’s school of Computing and Mathematics created a ‘microsite’, a small website on the university webserver, that would allow attendees of a training conference to upload their papers. While this may seem harmless at first glance, a lot of issues can occur when IT work is carried out by non-IT professionals, who likely don’t have the same in-depth knowledge of security procedures and industry best practice. In this particularly instance, once the microsite had done its job, it was never taken offline – nor was it maintained with regular security updates.
In 2013, almost a decade later, and again in 2016, cyber criminals struck, compromising the website and gaining access to other sensitive data on the webserver. The data, which contained information such as names, addresses, dates of birth, phone numbers and in some cases physical and mental health status, was leaked online shortly afterwards.
Despite the University of Greenwich being unaware that the microsite had been created and remained active for so long, the ICO still decided that they were ultimately responsible, as they had not put appropriate technical and organisational measures in place to protect the data.
“Whilst the microsite was developed in one of the University’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution,” according to Steve Eckersley, head of enforcement at the ICO. “Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine.”
The Information Commissioner’s Office described the incident as ‘serious’ and said that it was the first university to receive a fine under the 1998 Data Protection Act (and likely the last, considering the GDPR will become fully enforceable in just two days time).
However, they also allowed that if the University pays its fine by June 15th 2018 and turns down its right to appeal, it will reduce the penalty by 20%. The University of Greenwich has said that it accepts responsibility for the incident and intends to pay the reduced fine immediately.
“We acknowledge the ICO’s findings and apologise again to all those who may have been affected,” said University Secretary Peter Garrod. “No organisation can say it will be immune to unauthorised access in the future, but we can say with confidence to our students, staff, alumni and other stakeholders, that our systems are far more robust than they were two years ago as a result of the changes we have made. We take these matters extremely seriously and keep our procedures under constant review to ensure they reflect best practice.”
The University of Greenwich stated that it carried out an “unprecedented overhaul” of its security and data protection systems and processes in the wake of the findings, and that it had invested in both technology and staff to reduce the chance of a data breach occurring as much as possible.