Greenwich University Fined £120k for Data Breach

At the very least, organisations need a Data Loss Prevention policy in place

The BBC reported that The University of Greenwich has been fined £120,000 ($160,000) by the Information Commissioner. The fine was for a security breach in which the personal data of 19,500 students was placed online. The data included names, addresses, dates of birth, phone numbers, signatures and - in some cases - physical and mental health problems.

Patrick Hunter, an EMEA director of One Identity and Greenwich University alumni, said: "The breach, discovered in 2016, shows us that the ICO takes our data protection very seriously.  In this particular case it is interesting that there was no real breaking in through layers of firewalls and tackling account privileges, but the data was left in plain sight. It highlights the role of the Data Controller, in the case the University of Greenwich, and the responsibilities they have to the care of their students. If you have someone’s private data, you are responsible and accountable for it.

"The University states it has put in significant measures to prevent such data losses in the future, but they also, rightly, say they aren’t immune to further attacks.

"At the very least, organisations need a Data Loss Prevention policy in place, coupled with procedures and policies to protect the accounts that traditionally get abused in order to obtain access to the data.  If you control who has access to student personal records then you can track who does what with it. The ability to bulk copy that amount of personal data without any form of governance is unheard of today (or it should be!), but 13 years ago it seemed to be easy and the University has owned up and is paying the fines.

"Know who has access and know what they are doing with it at all times.  These same accounts are the targets of the hackers and if they can get access easily, then the fines are going to mount up.  Lock those passwords away, don’t let anyone know what they are until they need to check them out.  Grant the right people the right level of privilege and check in every now and then as to whether they should still have that level of entitlement.  Governance and regulations are not there to be passed and forgotten, but to be on-going processes to protect the users and data from being stolen."

Tags assigned to this article:
Greenwich University data breach


Around The World