Students have discovered their personal information could be found online via a Google search, landing Greenwich University in hot water with the Information Commissioner's Office.
Brought to the BBC's attention by a student at Greenwich University, students' names, addresses, dates of birth, mobile phone numbers and signatures were all uploaded to the university's website.
They were posted alongside minutes from the university's Faculty Research Degrees Committee, which oversees the registrations and progress of its research students. In some cases, mental health and other medical problems were referenced to explain why students had fallen behind with their work.
The university believes all the documents are now offline and has contacted Google to try to ensure cached copies of the documents cannot be retrieved from its search engine.
In a statement by Greenwich University, Louise Nadal, university secretary said: "I am very sorry that personal information about a number of postgraduate research students has been accessible on the university web site. This was a serious, unprecedented error, in breach of our own policies and procedures. The material has now been removed.”
The university does appear to have all the relevant policies you would expect to find in a large institution such as a Data Protection Policy, a Information & Records Management Policy, a Data Security Breach Policy and a Information Security and Assurance Policy.
SCMagazineUK.com contacted the university to ask whether or not this information is given to the university staff in the form of training or a leaflet, but did not reply in time for publication.
Matthias Maier, security evangelist at Splunk spoke to SC and said that: “Most organisations don't track movements of data. Staff should be tracked in order to make sure they are accountable, this is so the relevant staff member that does transfer data in an insecure manner can be taught the proper way to do so in order to stop future leaks of data.”
Greg Hanson, VP at Informatica commented on the breach saying that: “If companies fail to identify and safeguard sensitive data, they are essentially putting their customer relationships in the line of fire.” Hanson went on to say that, “in order to protect data, wherever it may be, organisations need to be able to identify where it originates in order to secure it, whether it is in transit or at its destination. For many organisations, a complete reassessment of security procedures is required. A data-centric strategy is the key to avoiding damaging leaks and reassuring consumers.”