The University of Greenwich has suffered a data breach, following which the Information Commissioner has imposed a fine of £120,000 ($160,000) upon the University; the breach involved the personal data of almost 20,000 people.
A release from the Information Commissioner’s Office (ICO) says- “The University of Greenwich has been fined £120,000 by the Information Commissioner following a “serious” security breach involving the personal data of nearly 20,000 people – among them students and staff.”
The University of Greenwich too has come out with a release, which says- “The Information Commissioner’s Office has imposed a penalty on the University of Greenwich and has issued its findings on a breach of personal data which was discovered in 2016 and involved unauthorised access to some data on the university’s systems at the time.”
This is the first time that the Information Commissioner is imposing a fine upon a university under the existing data protection legislation, the Data Protection Act 1998.
As per reports, the breach involves data like names of students, addresses, dates of birth, phone numbers, signatures etc. It’s also reported some data pertaining to physical and mental health problems of students too might have been involved. The data was reportedly uploaded onto a microsite, in 2004, for a training conference; the website, after the conference, was not secured or closed down. The microsite was compromised in 2013 and the data, which was published alongside the minutes of the conference, got posted elsewhere as well.
BBC reports- “In some cases it included individual students’ study progress, including reasons why they had fallen behind, and copies of emails between them and staff. In one example, it was disclosed that a student had a brother who was fighting in a Middle Eastern army and references were made to an asylum application.” BBC also reports that it was a student who had discovered the breach; the student had brought the matter to the knowledge of the Information Commissioner Office and the BBC.
Steve Eckersley, Head of Enforcement at the ICO, has said- “Whilst the microsite was developed in one of the University’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution…Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine.”
The University of Greenwich has made it clear that it wouldn’t appeal the penalty; the ICO has also reduced the fine to £96,000 with a prompt payment discount. The University, in its release, says- “We take this extremely seriously, and would like to apologise again to those who may have been affected…Since 2016, we have taken a number of significant steps to enhance our data protection procedures.”