The Information Commissioner’s Office (ICO) fined the University of Greenwich £120,000 for a “serious” security breach of personal data.
On 21 May, the United Kingdom’s Information Commissioner announced the fine. It’s the first time the ICO has levied such a penalty against a university under the Data Protection Act 1998.
According to the ICO’s report on the matter, the trouble started in 2013 when someone compromised a microsite created nine years previously on the web server of Greenwich University’s Computing and Mathematics School. Multiple attackers then leveraged SQL injection against the microsite to upload PHP exploits. These malicious actions enabled the attackers to access other parts of the web server, including databases which contained the personal information for 19,500 staff, faculty, students and other subjects.
A bad actor subsequently exfiltrated that data and published in on Pastebin.
The University of Greenwich eventually learned of the breach in June 2016 following additional compromises of the microsite in April and May of that year.
Steve Eckersley, head of enforcement at the ICO, said the fine reflects the University’s failure to properly secure the information of all its data subjects. As quoted in a statement for the Information Commissioner:
Whilst the microsite was developed in one of the University’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution. Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine.
The University released its own statement in response to news of the fine. In it, school officials explained how the University invested in new security architecture, hired internal experts and began scanning the entire organization for security weaknesses daily as part of its vulnerability management program after discovering the breach in 2016.
“Taken together, these important steps amount to an unprecedented overhaul of our data protection and security systems, and our stakeholders can have confidence in the enhanced measures we now have in place,” the University said.
Greenwich University went on to clarify that it will ultimately pay a total of £96,000 as part of a prompt payment discount offered by the ICO.