The University of Greenwich was fined $160,000 under the Data Protection Act of 1998 by the Information Commissioner’s Office for leaking the personal data of almost 20,000 staff, alumni and students, writes the BBC.
The exposed information included names, addresses, birthdates, phone numbers, study progress, email conversations between students and staff and some 3,500 health records with detailed information about physical and mental issues.
It appears the data was placed online on a microsite for a conference in 2004, which was left active and unsecured after the event ended. The site was hacked in both 2013 and 2016 by a number of cybercriminals who took advantage of its vulnerabilities to infiltrate the web server.
The security breach was detected by a university student who reported it to the BBC and the ICO.
“Whilst the microsite was developed in one of the University’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution,” said Steve Eckersley, head of enforcement at the ICO.
“Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine.”
The University of Greenwich accepted the decision and claims to have taken serious measures to secure its data and infrastructure.
“We acknowledge the ICO’s findings and apologize again to all those who may have been affected,” said University Secretary Peter Garrod.
“No organization can say it will be immune to unauthorized access in the future, but we can say with confidence to our students, staff, alumni and other stakeholders, that our systems are far more robust than they were two years ago as a result of the changes we have made. We take these matters extremely seriously and keep our procedures under constant review to ensure they reflect best practice.”