The University of Greenwich has been fined £120,000 by the UK Information Commissioner for a serious data breach involving close to 20,000 people.
On Monday, the UK information watchdog said the fine was the first issued to a university under the Data Protection Act 1998.
Under the UK’s current data protection rules, controllers of information — such as the university — are required to take reasonable steps to protect data.
However, regulators say (.PDF) that the University of Greenwich failed in this duty following a training conference in 2004.
The conference was held in the then devolved University’s Computing and Mathematics School. A microsite was dedicated to the training event which logged information from both staff and students — and this website was not secured or closed down afterward.
Three years later, threat actors exploited a vulnerability in the domain to access areas of the web server. As a result, information including names, addresses, and telephone numbers belonging to 19,500 people including students, staff, and alumni was compromised.
To make matters worse, data belonging to roughly 3,500 of these individuals and exposed through the server included sensitive information such as details on sickness, learning difficulties, and “extenuating circumstances,” according to the regulator.
This information was then leaked online.
“Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress,” said Steve Eckersley, Head of Enforcement at the ICO. “The nature of the data and the number of people affected have informed our decision to impose this level of fine.”
The ICO’s investigation revealed that the microsite was developed without the university — as an institution — knowing at the time, as the department was devolved. However, this does not remove the university’s overall responsibility.
The ICO believes that appropriate technical and management systems were not in place which would be defined as “reasonable” data protection efforts. Therefore, the fine was imposed.
With the General Data Protection Regulation (GDPR) deadline of 25 May 2018 only days away, consequences in the future for lax security and poor data protection will become more strict. However, the journey has already shown itself to be a difficult one for organizations.
A recent IBM study suggests that while many businesses believe GDPR could become a force for good in terms of consumer data collection restrictions and privacy, only 36 percent of organizations believe they will be ready in time.
In response to the decision, the university accepted responsibility and plans to pay the fine immediately, which will reduce the amount owed to £96,000.
“Since 2016, we have taken a number of significant steps to enhance our data protection procedures,” the university added. “We take this extremely seriously, and would like to apologize again to those who may have been affected.”