U.K. Privacy Authority Fines University for Security Breach

May 22, 2018, 3:29 PM

The United Kingdom’s data security office for the first time fined a university under its data protection law.

The U.K. Information Commissioner’s Office fined the University of Greenwich 120,000 pounds, or about $161,000, after a “serious” security breach of nearly 20,000 individuals’ personal information. The university did not have appropriate measures in place to protect its systems from hackers under the Data Protection Act of 1998, according to a May 21 ICO statement.

The episode traces back to 2004, when an academic and student created a microsite on a web server for an event in the university’s computing and mathematics school. The site, which was not shut down or secured after the event, was compromised in 2013. Hackers on multiple occasions in 2016 exploited a vulnerability that allowed them to access databases hosted on the web server, according to the ICO’s penalty notice to the university.

An attacker accessed personal data of about 19,500 students, staff, and alumni, including names, addresses, phone numbers, and email addresses. Hackers accessed sensitive information of about 3,500 people, including staff sickness records, learning difficulties, physical or mental health problems, and food allergies. An attacker posted the personal data online in January 2016, the agency said in the notice.

”Whilst the microsite was developed in one of the University’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution,” the ICO’s head of enforcement, Steve Eckersley, said in a statement.

“Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress,” he said. “The nature of the data and the number of people affected have informed our decision to impose this level of fine.”

The fine aligns with other recent monetary penalties imposed by the agency on institutions. The university must pay the fine by June 16. If the university doesn’t appeal, the penalty can be reduced to 96,000 pounds if it is paid before June 15.

To contact the reporter on this story: Sara Merken in Washington at smerken@bloomberglaw.com

To contact the editor responsible for this story: David Mark at dmark@bloomberglaw.com

To read more articles log in.

Learn more about a Bloomberg Law subscription.