The data included a host of personal details including, addresses, date of birth, names and phone numbers. Moreover, 3500 of the individuals exposed also had confidential medical information leaked.
The ‘serious’ leak came through a vulnerable microsite that was originally created for a training conference in 2004. However, the university failed to close or protect the site after the conference. It was then attacked by a hacker who exploited SQL injection vulnerabilities to gain access to the universities web server which then gave them access to staff and student details.
“Whilst the microsite was developed in one of the University’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution,” said Steve Eckersley, head of enforcement at the Information Commissioners Office (ICO).
The ICO describes themselves as “The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.” Under the Data Protection Act 1998, the ICO can impose a maximum £500,000 fine if they believe an organization does not have ‘reasonable data protection policies’.
The largest ICO fine was imposed in 2016 where the organization fined Talk Talk -a UK based telecoms agency- £400,000 for allowing hackers to access customer data with ‘ease’. However, if a similar hack were to happen while GDPR was in place Talk Talk would be fined 59million. GDPR comes into effect May 25th. More can be found about the legislation here.
Since the fine, university secretary Peter Garrod said, “we acknowledge the ICO’s findings and apologize again to all those who may have been affected.” Furthermore, Garrod commented on the universities policies since the scandal, he said they “specifically, have invested significantly in new technology and staff; overhauled the information technology governance structure to improve internal accountability; and implemented new monitoring systems and a rapid response team to anticipate and act on threats.” If Greenwich pays the fine quickly, it will reduced to £96,000.
To prevent your organization from facing similar problems, make sure to reach out and see we can solve your cybersecurity needs.
Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how Symantec can improve your organization’s security, our services or just want to chat security please give us a shout. If you’re looking to guest blog, please send an email here.
Don’t forget to register for our 4th annual Camp Secure Sense here. Camp Secure Sense is geared towards helping Canadian IT Security professionals improve their security practices, and better protect their organization. Registration closes on June 6th, 2018!