Greenwich University has had the dubious honor of becoming the first university in the UK to be fined by the Information Commissioner’s Office (ICO).
The privacy watchdog slapped the £120,000 fine down after a 2016 incident in which the personal details of nearly 20,000 staff, students and alumni were stolen in a breach.
The hackers managed to infiltrate the university’s network after targeting multiple vulnerabilities in a microsite from 2004 which was still up and running.
The stolen PII included the contact details of 19,500 people such as names, addresses and telephone numbers. For around 3,500 of these people, much more sensitive data including information on extenuating circumstances, details of learning difficulties and staff sickness records was also taken and subsequently posted online.
That will certainly have increased the size of the fine significantly, as the ICO takes a dim view of organizations that fail to protect data which, if leaked, could cause significant distress to the individual.
The ICO claimed Greenwich University didn’t have the technical and organizational measures in place to ensure a breach would not occur.
The university is just lucky the incident happened in 2016 rather than next week, when the GDPR will empower the ICO to levy even higher fines if it chooses.
”Whilst the microsite was developed in one of the university’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution,” said ICO head of enforcement, Steve Eckersley.
“Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine.”
Proofpoint cybersecurity specialist, Adenike Cosgrove, argued that data breaches are the new normal.
“As in this case, human error can mean the difference between a normal day and a data protection disaster. In additional to technical controls, employees must also be trained on the working practices required of the GDPR,” she added. “What we’re seeing from a lot of organizations is a situation where technology solutions and processes are in place to a certain degree, but the equally important employee awareness aspect is still yet to be adequately addressed.”