The UK's Information Commissioner has slapped a £120,000 fine on the University of Greenwich after a security cockup by its computing and maths school compromised the data of almost 20,000 individuals.
The incident occurred after an academic and a student from the then devolved department developed a microsite to facilitate a training conference in 2004.
The microsite, which was not closed down or secured post event, was first compromised in 2013 and then hit by multiple attackers in 2016 who exploited the vulnerability to access other areas of the web server.
The personal data included the contact information of 19,500 people such as students, staff and alumni – comprising names, addresses and telephone numbers. Around 3,500 records involved sensitive data such as details of learning difficulties and staff sickness records, which were subsequently posted online.
Steve Eckersley, ICO head of enforcement, said:
Whilst the microsite was developed in one of the University’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution.
Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine.
The commissioner found the university did not have in place appropriate technical and organisational measures for ensuring, so far as possible, that such a security breach would not occur.
Greenwich University secretary Peter Garrod said:
We acknowledge the ICO’s findings and apologise again to all those who may have been affected. Since 2016 when the unauthorised access to some of the university’s data was discovered, we have carried out a major review of our data protection procedures and made a number of key changes.
Specifically, we have invested significantly in new technology and staff; overhauled the information technology governance structure to improve internal accountability; and implemented new monitoring systems and a rapid response team to anticipate and act on threats.
No organisation can say it will be immune to unauthorised access in the future, but we can say with confidence to our students, staff, alumni and other stakeholders, that our systems are far more robust than they were two years ago as a result of the changes we have made. We take these matters extremely seriously and keep our procedures under constant review to ensure they reflect best practice.