The University of Greenwich has been fined £120,000 by the Information Commissioner’s Office (ICO) for a security breach that demonstrates the importance of maintaining active security controls on websites.
It was discovered that a forgotten microsite, created by a student and professor in 2004 for a training conference had been hacked, creating a backdoor to the universities network for the hackers to steal the personal details of 19,500 people. According to the ICO, the data included names, addresses and telephone numbers.
Organisational responsibility for security breach
Although the microsite was developed without the university’s knowledge, the ICO said that the university didn’t have appropriate technical and organisational measures in place for ensuring security and that it was down to the university to take responsibility for security throughout the institution.
ICO head of enforcement Steve Eckersley said, “Students and members of staff had a right to expect that their personal information would be held securely, and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine.”
The University of Greenwich said it would not appeal the decision and would take advantage of a prompt payment discount to reduce the fine by 20% to £96,000 and had since carried out an overhaul of data protection and security systems.
University secretary Peter Garrod said, “No organisation can say it will be immune to unauthorised access in the future, but we can say with confidence to our students, staff, alumni and other stakeholders, that our systems are far more robust than they were two years ago as a result of the changes we have made.”
Previous data breach by University of Greenwich
The ICO said this was the first time that a university had been fined under the current legislation, which dates back to 1998, although other breaches have been reported and investigated in that time. This includes a separate data breach involving Greenwich University in 2016, in which the personal details of postgraduate research students were hacked. The hackers posted this information online.
In one example, it was disclosed that a student had a brother who was fighting in a Middle Eastern army and references were made to an asylum application. However, the university said that the ICO had concluded that no enforcement action was necessary in this instance.
With the implementation of GDPR on May 25th, organisations will be subjected to greater scrutiny over data protection and security and may be subject to fines of up to 4% of their annual turnover, or up to €20 million, although fines will be made with a tiered system depending on the level of the violation.
Make sure your organisation is fully secured against data breaches and hackers. Globalnet offers managed cyber security plans for businesses of all sizes, including the UK Government backed Cyber Essentials Scheme. Speak to one of our consultants for more details. Call 0203 005 9650.