University of Greenwich fined £120,000 for leaking data of 20,000 students and staff
The University of Greenwich must pay a £120,000 fine after an unpatched security flaw led to the leak of students’ and staff’s personal data.
Nearly 20,000 people were affected by the “serious breach”, which occurred in 2016 when hackers discovered a vulnerability in an unsecured microsite built back in 2004.
The exposed data included names, addresses and phone numbers, but also sensitive information on 3,500 people that concerned details about student’s extenuating circumstances, learning difficulties and staff sickness records.
While the microsite was built specifically for a training conference at the university’s Computing and Mathematics School, which was devolved at the time, it was never shut down or made secure, and was first compromised in 2013.
Hackers then used the same vulnerability to access the web server, gaining access to 19,500 staff and students’ information.
READ NEXT: What is GDPR?
“Whilst the microsite was developed in one of the university’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution,” said Steve Eckersley, head of enforcement at the Information Commissioner’s Office (ICO).
“Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine.”
The £120,000 penalty is the first the data protection watchdog has issued to a university under the Data Protection Act 1998, out of a maximum £500,000 fine it can impose.
However, new EU data protection rules come into force on Friday that introduce higher sanctions. The General Data Protection Regulation (GDPR) will allow regulators to fine organisations that suffer data breaches a maximum of €20 million, or 4% of their annual turnover.
Alphr has contacted the University of Greenwich. When we reported on the breach at the time, university secretary Louise Nadal called it “a serious, unprecedented error”, and said she would conduct an investigation into what happened.
“This will form part of a robust review, to make sure that this cannot happen again,” she added at the time. “The university is committed to protecting confidential data and apologises for this error.”
Image: Duncan Harris/Flickr