London based Greenwich University have been fined £120,000 following the discovery of a data breach relating to the shared information of a portion of their students’ personal information.
Although the case only came to light in 2016; the original breach in fact dates back to 2004, when the personal information of around 19,500 students was uploaded to a ‘micro-site‘ for a training conference.
Although the data could have easily been secured by closing the microsite following training; the site was not taken down, leaving Greenwich University students’ names, addresses, signatures and even health statuses up for grabs.
The site was developed within a department of Greenwich University without the knowledge of the University, which may alleviate the problem slightly for Greenwich, but regulations mean that the responsibility still falls with the institution down to their status as a ‘data controller’.
Although they have an obligation as an educational institution to keep al personal information private, and the situation not being small, the university have been granted a cut fine of £96,000, made possible by a “prompt payment discount”.
Steve Eckersley, Head of enforcement at the ICO said that the results of the breach, and the extent of the fine are down to the teachers and students of the University having “,a right to expect that their personal information would be held securely,” and the distress that the breach has caused them.
Greenwich University have since apologised to all students who’s data was involved in the breach, and have invested time and money into creating more “robust systems” since the breach, also going on to say; “We take these matters extremely seriously and keep our procedures under constant review to ensure they reflect best practice.”
Although, the University have also said that they are fully aware that no institution is immune to a cyber breach, and they can only take all possible precautions to prevent a similar event in the future. There is no doubt that their new systems will prevent future breaches if the right approach is taken, but the lasting damage that a breach has on the reputation of the University could have a sizeable impact.