University incurs £120,000 fine for failure to shut down short term microsite that left personal data vulnerable
The University of Greenwich has been fined £120,000 by the Information Commissioner’s Office (ICO) following a “serious” security breach involving the personal data of nearly 20,000 people including students and staff.
It is the first university to have been fined by the commissioner under the existing Data Protection Act.
The ICO imposed the fine in response to the university failing to close down a microsite set up, by an academic and a student in the then devolved university’s Computing and Mathematics School, for a training conference in 2004.
After the event, the site was not closed down or secured and was compromised in 2013. In 2016 multiple attackers exploited the vulnerability of the site allowing them to access other areas of the web server.
The attacks opened up personal data including contact details of 19,500 people including students, staff and alumni such as names, addresses and telephone numbers. Around 3,500 of these included sensitive data such as information on extenuating circumstances, details of learning difficulties and staff sickness records and was subsequently posted online.
Controller's liability
Head of enforcement at the ICO, Steve Eckersley, said: “Whilst the microsite was developed in one of the university’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution.
“Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine.”
The ICO found that the university did not have in place appropriate technical and organisational measures for ensuring, so far as possible, that such a security breach would not occur.
It also indicated that it will reduce the fine by 20% if it is paid in full by 15 June, but not if the university appeals.
Image by rchris7702, CC BY 2.0 through flickr
