University of Greenwich has been hit with a fine under the 1998 Data Protection Act. This fine is delivered just days before the General Data Protection Regulation (GDPR) goes into effect.

#News: University of #Greenwich has been hit with a #databreach fine days before #GDPR arrives. Click To Tweet

The fine assigned to University of Greenwich carries a weight of €120,000. The Data Protection Act states that any handler of personal data has the duty to protect such data, in this instance University of Greenwich failed to do so. Sensitive personal identifiable information was compromised for roughly 20,000 individuals.

Greenwich has confirmed that they will pay this fine promptly which decreases the fine to €96,000. The lesser fine certainly does not decrease the severity of this data leak.

How did this data breach occur?

Let’s pedal backwards to 2004. In 2004, the university hosted a training conference within the once detached Computing and Mathematics school. For conference purposes, a microsite was created to log and store individual information. The information stored within the microsite belonged to both students and staff affiliated with the university. While this site should have been both secured and destroyed once it was no longer being used, neither of those things happened.

Failure to ever secure or eliminate the site allowed the microsite to enter a compromised state in 2013 which pointed attackers to the vulnerability in 2016. The attackers compromised the present vulnerability and ventured into other sensitive areas of the server.

The data accessed and exposed belong to students, staff and alumni members. Data ranging from contact info and signatures to mental health records are within the scope of the PII (personal identifiable information) exposed. Once the information was accessed it was then listed on the web for all to see.

University of Greenwich was in the dark about the microsite

At the time of the microsite’s formation, the university was detached from the Computing and Mathematics school. The remaining part of the university was unaware of the microsite. However, this school division is attached to the entire university, and as such is declared a data handler under the Data Protection Act. Therefore, they are responsible for all security measures in all school areas.

The secretary of the University, Peter Garrod, stated:

“No organisation can say it will be immune to unauthorised access in the future, but we can say with confidence to our students, staff, alumni and other stakeholders, that our systems are far more robust than they were two years ago as a result of the changes we have made.”

Looking forward

All entities dealing with any form of PII data should tune into this cyber security news. The stiff penalty assigned to University of Greenwich is a direct reflection of failure to comply to the Data Protection Act of 1998 and nature of the highly sensitive data exposed and number of people affected.

Rest assured that with the GDPR officially here in just a few short days, fines in the future will be steeper. The GDPR delivers stricter data protection requirements for all organizations conducting business within or with any resident of the EU. Get GDPR ready now. Click below to learn more about Teramind.Insider Threat Detection