GDPR Isn’t Here Yet but This University Is Already Paying Fines for a 2004 Data Exposure
The UK Information Commissioner has fined the University of Greenwich £120,000 for a data breach that affects nearly 20,000 people. The fine was issued under the Data Protection Act 1998.
While the GDPR is potentially going to result in a lot of similar fines, this specific case goes back to 2004 when the university logged information from both the staff and students during a training conference. A site that was dedicatedly designed for the event logged information but this website was not secured or closed down after the event.
Website was later on accessed by hackers to steal user data
After three years, some criminals exploited a vulnerability in the domain. Names, addresses, and telephone numbers of over 19,500 people were compromised in the process. Along with this data, some sensitive information was also leaked, including details on learning difficulties, sickness, and "extenuating circumstances" that was stored on nearly 3,500 individuals.
"Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress," Steve Eckersley, head of the information watchdog said. "The nature of the data and the number of people affected have informed our decision to impose this level of fine."
"Since 2016, we have taken a number of significant steps to enhance our data protection procedures," the university said. "We take this extremely seriously, and would like to apologize again to those who may have been affected."
The University of Greenwich reportedly plans to pay the fines immediately, which will reduce the amount to £96,000.