Greenwich University has been fined £120,000 after a security breach at the university resulted in the leak of 19,500 students' data to the internet, according to Signavio. This data included names, addresses, date of birth, phone numbers, signatures and in some cases, physical and mental health problems.
The breach was caused by a former student of the university who breached a critical server and uploaded all of the student's data to the dark web. Under the Data Protection Act of 1998 Greenwich University is the first university to receive a fine and the Information Commissioner called it “serious”.
Four months earlier, Greenwich University was involved in a separate data breach involving the publication of hundreds of researchers' details on the university's website. The two breaches are linked to a critical vulnerability in a microsite set up in 2004 for a training conference, which then was not closed down or secured.
To securely hold data, it is important for the processes that contain the data to be properly tracked and documented, say process management experts at Signavio.
Dr Gero Decker, CEO and co-founder at Signavio, commented in an email to SC Media UK: “With a number of regulations coming into force this year, including GDPR, and companies facing hefty fines for security breaches, it is more important than ever to ensure a continuous and robust approach to data security. This starts with looking at the internal processes within an organisation, and the points where those processes come in contact with customer or employee data.
“Ongoing monitoring of end to end processes provides insight into potential risks and ongoing improvement opportunities. Visually documenting these processes, and ensuring visibility for all employees, will ensure that all data is embedded within a secure system. Full visibility and collaboration also enables the singling out of those processes that may now hold risk, allowing organisations to put necessary controls in place.
“Additionally, regulations can also be woven into existing processes, ensuring compliance at all touch points. This will allow for a sustainable approach to data protection, and significantly reduces the risk of a data breach.”
Patrick Hunter, an EMEA director of One Identity and a Greenwich University alumni, adds: "The breach, discovered 2016, shows us that the ICO takes our data protection very seriously. In this particular case it is interesting that there was no real breaking in through layers of firewalls and tackling account privileges, but the data was left in plain sight. It highlights the role of the Data Controller, in the case the University of Greenwich, and the responsibilities they have to the care of their students. If you have someone's private data, you are responsible and accountable for it.
"The University states it has put in significant measures to prevent such data losses in the future but they also, rightly, say they aren't immune to further attacks.”
Jason Hart, CTO of Data Protection, Gemalto concludes: “This should be a reminder for organisations around the world to dig deep when it comes to protecting their data. If businesses don't know where it is or whether it's properly secured then they are leaving themselves and their customers vulnerable. While many are taking steps to improve their data security, the fact that some breaches can lay undiscovered for three years leaves little doubt that there is still work to do before there is widespread GDPR compliance. In order to adequately protect their data, businesses must regularly audit and ensure security controls, such as encryption and key management are implemented, whether the data is being stored or used in a transaction.”