The Information Commissioner’s Office (ICO) has fined the University of Greenwich £120,000 for a serious security breach.

The personal data including names, addresses, dates of birth, phone numbers and signatures of 19,500 students and staff was compromised. Additionally, sensitive data of 3,500 people was breached.

The personal information was uploaded to a microsite developed by an academic and student for a training conference held in 2004. The university failed to secure the information, moreover did not close down the microsite after the event.

In 2013 the site was compromised and in 2016 numerous attackers exploited the site enabling them to access further areas of the web server.

The investigation by the ICO found the University did not have appropriate technical and organisational measures in place to protect against such a security breach.

Head of Enforcement at the ICO, Steve Eckersley, said:

“Whilst the microsite was developed in one of the University’s departments without its knowledge, as a data controller, it is responsible for the security of data throughout the institution.

“Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine.”

The University of Greenwich has said that since 2016 they have taken significant steps to enhance their data protection procedures that amount to an unprecedented overhaul of their data protection and security systems.

University Secretary, Peter Garrod, said:

“We acknowledge the ICO’s findings and apologise again to all those who may have been affected.”

The University of Greenwich is the first university to be fined by the Commissioner under the existing data protection legislation (Data Protection Act 1998).


BBC News:

University of Greenwich: