University of Greenwich fined £120,000 by ICO for massive data breach
News / University of Greenwich fined £120,000 by ICO for failing to prevent massive breach
24 May 2018
The Information Commissioner’s Office has imposed a fine of £120,000 on the University of Greenwich for failing to prevent the breach of personal data of nearly 20,000 students, staff and alumni. The University has become the first to be fined by the ICO under the existing Data Protection Act.
How did the breach occur?
Back in 2004, an academic and a student at the University of Greenwich created a microsite to facilitate a training conference. The microsite contained personal details of 19,500 students, staff, and alumni such as “information on extenuating circumstances, details of learning difficulties and staff sickness records”.
Those who created the microsite failed to shut it down after the conference was over, thereby leaving personal data of thousands of students of staff at risk of breach. The bread did occur eventually in 2013 when the microsite was accessed by several hackers.
According to the Information Commissioner’s Office, the University of Greenwich failed to secure either the microsite or its web servers from being accessed by unauthorised or malicious actors and was therefore liable to face monetary fines.
“Whilst the microsite was developed in one of the University’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution.
“Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine,” said Steve Eckersley, head of Enforcement at the ICO.
Fines would have been much, much more under GDPR
Commenting on the fine imposed by the Information Commissioner’s Office, Andy Norton, director of threat intelligence at Lastline, said that had GDPR been in force, the University of Greenwich could have faced fines of as much as £10 million or more, considering that personal data of nearly 20,000 students and staff were kept out in the open.
“Clearly the UK Information Commissioner is not in alignment with GDPR about what is proportionate and reasonable as a fine…Nearly 20,000 people had their personal information stolen and dumped out on a pastebin site. The ICO office said that the university did not implement appropriate technical or organisational measures and had overlooked the requirement to have a robust technical implementation.
“If the university pay early the fine is reduced to £96,000, but had it been set next week the fine would of been 10 million or more, given the lack of safeguards in place,” he said.
Mayur Upadhyaya, managing director, Europe at Janrain, said that the fine imposed on the University of Greenwich could be imposed on any other organisation that has shadow IT (systems and solutions built and used without central approval) and may not be able to detect a breach due to lack of visibility over IT assets that were built without central approval.
“Data audits are a key tool of GDPR readiness, however they are not fit for purpose, and lose value and impact in organisations that may have shadow projects that don’t sit under an organisational governance process.
“There could be hundreds of brands, institutions and organisations that believe they have used best endeavours to protect the rights of data subjects, but could have gaps unbeknown. Shadow IT poses a greater risk as we become a more regulated society to both data subjects and businesses alike,” he added.