The Information Commissioner’s Office (ICO) fined the University of Greenwich £120,000 for a “serious” security breach of personal data.

On 21 May, the United Kingdom’s Information Commissioner announced the fine. It’s the first time the ICO has levied such a penalty against a university under the Data Protection Act 1998.

According to the ICO’s report on the matter, the trouble started in 2013 when someone compromised a microsite created nine years previously on the web server of Greenwich University’s Computing and Mathematics School. Multiple attackers then leveraged SQL injection against the microsite to upload PHP exploits. These malicious actions enabled the attackers to access other parts of the web server, including databases which contained the personal information for 19,500 staff, faculty, students and other subjects.

A bad actor subsequently exfiltrated that data and published in on Pastebin.

The University of Greenwich eventually learned of the breach in June 2016 following additional compromises of the microsite in April and May of that year.

Steve Eckersley, head of enforcement at the ICO, said the fine reflects the University’s failure to properly secure the information of all its data subjects. As quoted in a statement for the Information Commissioner:

Whilst the microsite was developed in one of the University’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution. Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine.

The University released its own statement in response to news of the fine. In it, school officials explained how the University invested in new security (Read more...)