The University of Greenwich has been fined £120,000 by the Information Commissioner following a “serious” security breach involving the personal data of nearly 20,000 people.
The data included personal information belonging to students and staff.
It is the first university to be fined by the Commissioner, who will be responsible for handing out fines for breaches of the GDPR after it comes into effect.
“Whilst the microsite was developed in one of the university’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution,” said Steve Eckersley, head of enforcement at the ICO.
“Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress.
“The nature of the data and the number of people affected have informed our decision to impose this level of fine.”
The microsite in question was developed by an academic and a student to facilitate a training conference in 2004.
After the event, the site was left up and unsecured. It was compromised in 2013 and in 2016 multiple attackers exploited the vulnerability of the site allowing them to access further areas of the web server.
The personal data included the personal details of 19,500 people including students, staff and alumni such as names, addresses and telephone numbers.
Of these entries, 3,500 of included sensitive data such as information on extenuating circumstances, details of learning difficulties and staff sickness records.
The Commissioner found that the university did not have in place appropriate technical and organisational measures for ensuring that such a security breach would not occur.