Mike Hewitt/Getty Images
show image

The ICO has fined Greenwich University £120,000 over a major data breach

The Information Commissioner’s Office has fined Greenwich University £120,000, after a former student breached a critical server and uploaded 19,500 people’s data to the dark web.

The student had reportedly been kicked out of the university and wanted to prove their hacking credentials in a bid to win back their place.

An Evening Standard report published in June 2016 revealed the student had posted a statement to the university’s website beside a link to the data dump: “So due to my elite skills and e-fame, you guys decided to kick me out of University because you couldn’t handle the beast.”

“In response to this, I’ve used the skills I’ve obtained to show you how good I actually am. Please let me come back,” they wrote.

Four months earlier, the university had been subjected to a separate breach involving the publication of hundreds of researchers’ details on the university’s website.

The breach included names, addresses, dates of birth, mobile numbers and signatures. In some cases, mental health and medical problems were also documented, the BBC reported at the time.

The two breaches were linked to a “serious” vulnerability in a microsite set up by two university researchers in 2004, the ICO said. Once the microsite had been infiltrated, hackers were able to access the university’s servers and the database.

Among the 19,5000 details, 3,500 included sensitive information about extenuating circumstances, learning difficulties and staff sickness records.

The fine is the first the ICO has levied against a university. The regulator’s head of enforcement, Steve Eckersley, said “the nature of the data and the number of people affected have informed our decision to impose this level of fine”.

“Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress,” he added. 

The ICO’s investigation revealed that the university had not put in place measures to ensure that such a breach would not occur.

In a statement, a university spokesperson said: “We acknowledge the ICO’s findings and apologies again to all those who may have been affected. Since 2016 when the unauthorised access to some of the university’s data was discovered, we have carried out a major review of our data protection procedures and made a number of key changes.”

The spokesperson added: “We have invested significantly in new technology and staff; overhauled the information technology governance structure to improve internal accountability; and implemented new monitoring systems and a rapid response team to anticipate and act on threats.”