UK WATCHDOG the Information Commissioner's Office (ICO) has slapped a £120,000 fine on the University of Greenwich after a "serious" security breach exposed the data of 19,500 students.
The incident, which has lead to Greenwich becoming the first university to be fined by the ICO, relates to a microsite developed by an academic and a student in the then-devolved University's Computing and Mathematics School, to facilitate a training conference in 2004.
The microsite, which was not shut down or secured following the conference, was first compromised in 2013, and in 2016 it was accessed by multiple hackers who exploited the site's vulnerability to access other areas of the web server.
This saw the personal data of 19,500 people, including as students, staff and alumni, placed online, including names, addresses and telephone numbers. Around 3,500 records involved sensitive data such as details of learning difficulties and staff sickness records, which were subsequently posted online.
"Whilst the microsite was developed in one of the University's departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution," said Steve Eckersley, head of enforcement at the ICO, following Monday's schooling.
"Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress.
"The nature of the data and the number of people affected have informed our decision to impose this level of fine."
In a statement, the uni said it would not appeal against the decision, adding that it had carried out "an unprecedented overhaul" of its systems since the discovery of the breach in 2016.
"We acknowledge the ICO's findings and apologise again to all those who may have been affected," said University Secretary Peter Garrod.
"No organisation can say it will be immune to unauthorised access in the future, but we can say with confidence to our students, staff, alumni and other stakeholders, that our systems are far more robust than they were two years ago as a result of the changes we have made.
"We take these matters extremely seriously and keep our procedures under constant review to ensure they reflect best practice." µ
Doubtful anyone will notice
Could your next colleague be a bot?
Remove the tech or face the courts, threaten privacy advocates
OK Google... sell me stuff I didn't know I wanted