Umeå University research group held sensitive information on insecure cloud storage


A Swedish university has been fined SEK550,000 ($66,000) for storing sensitive personal information in the cloud without sufficiently protecting the data.

Umeå University, in mid-northern Sweden, violated the General Data Protection Regulation (GDPR) by failing to properly secure data related to a research study on male sexual health, the Swedish Data Protection Authority has ruled.

A research group had gained access to preliminary police reports concerning cases of male rape, a statement from the regulator reads.

On receiving the files, the university group scanned and stored them digitally in a US cloud storage service, despite the institution informing faculty members via its intranet that such sensitive files should not be stored in this way.


Read more of the latest GRPR news and breaches


The reports contained information on the suspicion of crime, name, personal identity number, and contact details, as well as sensitive data about sexual life and overall health.

In another incident, the research group sent an email to the police requesting further information with one of the scanned reports attached as a reference.

The research group later repeated this action, despite the fact that the police pointed out the inappropriateness in sending sensitive material in unencrypted emails, the report states.

Reporting failures

Linda Hamidi, who led the investigation by the Swedish Data Protection Authority, said that “the cloud service and the way the university uses it does not provide sufficient protection for this type of personal data”.

The report reads: “These events show that the university has not taken necessary measures to ensure a level of security appropriate in relation to the risk.”

Umeå University was also faulted for failing to report the data breach under GDPR laws, which came into effect in May 2018.

The report adds: “The Swedish Data Protection Authority also criticizes the university for failing to report the incident as a personal data breach.”

“The controller is obliged to notify the DPA of data breaches and furthermore to present to us what has been done to mitigate the effects of the incident and to prevent similar incidents from happening in the future.”


READ MORE Healthcare security woes: More than 45 million medical images openly accessible online