ICO Fine Data Breach

5 June 2018

The University of Greenwich has been fined £120,000 by the Information Commissioner following a serious security breach involving the personal data of nearly 20,000 people. 

It is the first university to be fined by the Commissioner.  The investigation centred on a microsite developed by an academic and a student in 2004.

After the event, the site was not closed down or secured and was compromised in 2013.  In 2016, multiple attackers exploited the vulnerability of the site allowing them to access other areas of the web server.

The personal data included contact details of 19,500 people including students, staff and alumni such as names, address and telephone numbers.  However, around 3,500 of these included sensitive data such as information of extenuating circumstances, details of learning difficulties and staff sickness records and was subsequently posted online.

The Commissioner found that the University did not have in place appropriate technical and organisational measures for ensuring, so for as possible, that such a security breach would not occur and that suitable steps were not in place to prevent its systems from being accessed by attackers.