Institute penalised by the ICO, setting the tone for GDPR

Greenwich University in the UK has been served a £120,000 ($161,000) fine by the  Information Commissioner’s Office (ICO), following a major data breach that saw thousands of students’ personal information exposed online.

Names, addresses, and telephone numbers of 19,500 people, including university staff, were made available to attackers after it was uploaded to a microsite originally set up for a training conference in 2004.

Microsites are attached to a main website but typically have a temporary purpose, with information viewable to only a select group like the site’s admin, or in this case, attendees of an event.

Once the event was over, the site in question failed to be secured or shut down, which led to the data being compromised in 2013 and on four separate occasions in 2016.

According to the ICO investigation, this was caused by the microsite’s upload function – originally intended so that conference papers could be shared online between participants.

Not removing the function following the event meant that the database was exploited by multiple attackers through an SQL injection, which allowed for known PHP exploits to be uploaded.

More sensitive information from this database, such as the medical records of approximately 3,500 people, were also posted online and could easily be found through a basic Google search.

The University was made aware of the security breach on June, 8 2016 after a former student allegedly exploited the microsite’s vulnerability and posted the information on the dark web, the Evening Standard reported.

Steve Eckersley, head of enforcement at the ICO, said in a statement: “Whilst the microsite was developed in one of the university’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution.

“Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress.

“The nature of the data and the number of people affected have informed our decision to impose this level of fine.”

Responding to the recent ICO fine, the university said that it did not intend to appeal the penalty.

It said: “Since 2016, we have taken a number of significant steps to enhance our data protection procedures.

“These include making major investments in new security architecture, tools and technologies, hiring new dedicated internal experts whose sole focus is information security, conducting vulnerability testing across the entire organisation every day – the only university, so far as we know, to do so – making information security training mandatory for all staff, reforming the system of internal IT governance, developing a rapid incident response to tackle threats as they arise and quickly learn lessons from incidents.

“Taken together, these important steps amount to an unprecedented overhaul of our data protection and security systems, and our stakeholders can have confidence in the enhanced measures we now have in place.”

The university is the first higher education institution to be fined under the Data Protection Act 1998.

The fine, which comes days before new data protection regulation takes effect, will be reduced by 20% to £96,000 if paid in a prompt manner, the ICO said.