The UK’s Information Commissioner has fined the University of Greenwich £120,000 for a data breach from 2004 that involved nearly 20,000 staff and students.
The fine has been issued in accordance with the Data Protection Act 1998 and doesn’t relate to the EU’s new GDPR.
The circumstances surrounding the fine involve a student creating a bespoke website on behalf of an academic from the School of Computing and Mathematics in 2004.
The website was initially designed for a training conference and facilitated anonymous uploads of training conference papers through a web form.
The upload functionality wasn’t disabled after the conference ended and the ICO states it has evidence that the website was compromised in 2013.
Attackers then further exploited the vulnerability in 2016 by utilizing SQL injection to gain access to an account with privileges that then gave them access to other databases on the web server.
From there, the attackers gained access to large volumes of personal data on students and staff.
The type of personal data accessed was predominantly names, telephone numbers and email addresses, however the ICO also states that sensitive information on mental health problems, food allergies and learning difficulties was also accessed.
The ICO believes sensitive information on 3,500 staff and students may have been accessed during the attack.
According to a statement on its website, the University of Greenwich does not intend to appeal the decision and has taken advantage of the ICO’s prompt payment offer that will reduce the fine to £96,000.
The press release also states, “We take this extremely seriously, and would like to apologise again to those who may have been affected.
“Since 2016, we have taken a number of significant steps to enhance our data protection procedures [including]…hiring new dedicated internal experts whose sole focus is information security”.
Universities can struggle with information management owed to the amount of information published to university websites.
Some universities have tens of thousands of employees, many of which have access to various sections of their employer’s website, and digital governance is notoriously difficult to institute without modern technology and rigorous workflow.
According to the ICO’s head of enforcement, Steve Eckersley, “The nature of the data and the number of people affected have informed our decision to impose this level of fine”.