The ICO fined Greenwich University £120,000 for failing to prevent a serious data breach.
The breach disclosed the data of 19,500 students. This occurred due to a microsite developed by an academic and a student in the then-devolved University’s Computing and Mathematics School, to facilitate a training conference in 2004. The data included names, addresses, dates of birth, phone numbers, signatures. Roughly around 3,500 of these included sensitive data such as information on extenuating circumstances, details of learning difficulties and staff sickness records and was subsequently posted online.
Greenwich was the first university to receive a fine under the Data Protection Act. One should note that the site was not subsequently closed down or secured after the conference in 2004, and was first compromised in 2013. In 2016 multiple attackers exploited the vulnerability of the site allowing them to access other areas of the web server.
The university did not appeal against the ICO decision. Instead, University Secretary Peter Garrod said “we acknowledge the ICO’s findings and apologise again to all those who may have been affected”. He added that “No organisation can say it will be immune to unauthorised access in the future, but we can say with confidence to our students, staff, alumni and other stakeholders, that our systems are far more robust than they were two years ago as a result of the changes we have made”
The Commissioner found that the University did not have in place appropriate technical and organisational measures for ensuring, so far as possible, that such a security breach would not occur.