There has been a serious breach at Plymouth University which has seen more than 200 staff members’ salaries leaked.
An investigation, undertaken by Plymouth University solicitors, is well under way. It transpires that a confidential spreadsheet noting 240 senior staff members’ salaries was erroneously sent to an incorrect email address in June 2015.
At the time, the data breach was reported to the Information Commissioner’s Office (ICO). The ICO has a general duty to investigate complaints from members of the public who believe that an authority/business has failed to protect their data. However, no further action was taken after the person who received the spreadsheet promised that they had deleted the document.
Spreadsheet was circulated
In a shock turn of events, the document was forwarded to the Plymouth Herald this week from an unknown source, meaning the data breach has resurfaced, and yet again 240 staff members’ personal and sensitive information is at risk. Plymouth Herald noted they were unable to reveal the precise details of what the spreadsheet contained, due to legal reasons, but it contained detailed information about 245 senior managers’ salaries, allowances, and pension plans.
Personal data
University solicitor, Matthew Jackson, said:
“The information is personal data relating to members of our staff, and as such is confidential.”
Personal information of this nature is protected under the Data Protection Act (DPA). Mr Jackson continues to say:
“…it is clear from the face of this document that this information should not have been sent to you [the Plymouth Herald] or any third party. We should be grateful if you would delete this information from your records immediately and confirm to us in writing when you have done so.”
According to Mr Jackson, all of the affected staff members were notified of the breach at the time it happened and they received a promise from the recipient that no copies of the spreadsheet were circulated or retained. This obviously isn’t the case as the information has come to light again.
In 2015, the ICO didn’t probe any further as they were satisfied that the university had dealt with the data breach in accordance with the DPA by addressing the unauthorised disclosure. Mr Jackson highlights his concerns by saying,
“Against this background and almost two years after the original event, we are very concerned that this information has now been sent to the Herald.”
It makes us wonder: where else is in the information? We are now far too familiar with the circulation of sensitive personal information on the dark web…
The perpetrator remains anonymous, and Mr Jackson calls for the source of the information to come forward. We presume this is so that appropriate steps can be taken to protect the university’s employees and their personal data.