The University of Greenwich has been fined £120,000 by the Information Commissioner’s Office (ICO) after what the regulator termed a “serious” security breach involving the personal data of nearly 20,000 people.
It is the first uni to have been fined by the UK data protection regulator, under the Data Protection Act 1998 (DPA); the GDPR updates the UK’s data privacy law later this month.
The ICO centred on a microsite developed by an academic and a student in the then devolved university’s Computing and Mathematics School (including as the ICO pointed out, experts in software), for a training conference in 2004. After the event, the site was not closed or secured; it was compromised in 2013. In 2016 multiple attackers exploited the vulnerability of the site allowing them to access other areas of the web server.
The personal data included contact details of 19,500 people including students, staff and alumni such as names, addresses and telephone numbers. However, around 3,500 of these included sensitive data: such as if someone had dyslexia, domestic difficulties or health problems, and staff sickness records. It was posted online in January 2016 on pastebin.com, as used by hackers to publicise their work. The uni became aware of the breach in June 2016, due to comment on social media.
Head of Enforcement at the ICO, Steve Eckersley, said: ”Whilst the microsite was developed in one of the University’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution. Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine.”
The ICO found that the University did not have in place appropriate technical and organisational measures for ensuring, so far as possible, that such a security breach would not occur, ie for ensuring that its systems could not be accessed by attackers. For the ruling in full visit the ICO website.
While the ICO under the DPA and regulations since has the power to fine offenders a maximum of £0.5m, under the GDPR that stands to rise considerably.
Comments
Patrick Hunter, an EMEA director of IT access management product company One Identity and an alumni of Greenwich, said: “The breach, discovered 2016, shows us that the ICO takes our data protection very seriously. In this particular case it is interesting that there was no real breaking in through layers of firewalls and tackling account privileges, but the data was left in plain sight. It highlights the role of the Data Controller, in the case the University of Greenwich, and the responsibilities they have to the care of their students. If you have someone’s private data, you are responsible and accountable for it.
“The university states it has put in significant measures to prevent such data losses in the future but they also, rightly, say they aren’t immune to further attacks.
“At the very least though, organisations need a Data Loss Prevention policy in place coupled with procedures and policies to protect the accounts that traditionally get abused in order to obtain access to the data. If you control who has access to student personal records then you can track who does what with it. The ability to bulk copy that amount of personal data without any form of governance is unheard of today (or it should be!), but 13 years ago it seemed to be easy and the University has owned up and is paying the fines.
“Know who has access and know what they are doing with it at all times. These same accounts are the targets of the hackers and if they can get access easily, then the fines are going to mount up. Lock those passwords away, don’t let anyone know what they are until they need to check them out. Grant the right people the right level of privilege and check in every now and then as to whether they should still have that level of entitlement. Governance and regulations are not there to be passed and forgotten, but to be on-going processes to protect the users and data from being stolen.”
And Mayur Upadhyaya, managing director, Europe at Janrain, a customer identity and access management software firm, said: “One of the challenges that institutions such as Greenwich University face will be the historic build up of Shadow IT (systems and solutions built and used without central approval) over the last 20 years. In the run up to GDPR, systems such as the Greenwich University microsite would not have come up in a data audit.
“Data audits are a key tool of GDPR readiness, however they are not fit for purpose, and lose value and impact in organisations that may have shadow projects that don’t sit under an organisational governance process. There could be hundreds of brands, institutions and organisations that believe they have used best endeavours to protect the rights of data subjects, but could have gaps unbeknown. Shadow IT poses a greater risk as we become a more regulated society to both data subjects and businesses alike.”
