The University of Greenwich has been fined £120,000.00 by the ICO (Information Commissioner’s Office) after being found guilty of allowing personal and sensitive data they hold to be exposed.
The fine comes off the back of a serious data breach where the data for some 20,000 university students and staff was compromised from a micro-site that had been used in 2004 for a training conference. This micro-site was not closed or secured, and was comprised in 2013, and then multiple attacks in 2016 allowed hackers access to the university’s web-server.
The ICO found that the University of Greenwich failed in their important duty to ensure that the data they held was safe and secure. This was a preventable data breach, which means that it’s hard to escape responsibility for it.
There’s no excuse for being lazy or lackadaisical when it comes to data protection and cybersecurity. Organisations must ensure that they do not leave themselves open and vulnerable to attacks and breaches, particularly in an age where criminals are able to identify and exploit known vulnerabilities.
Last year’s WannaCry attack was a prime example of how outdated systems can mean increased vulnerability.
We’re not surprised by the fine levied on the University of Greenwich, although they may want to count themselves lucky given that the new GDPR that came into force last week could have seen a fine of this nature being in the millions had it have happened later this year. We’re representing a number of individuals who have been affected by a separate University of Greenwich data breach, and we’d expect that, given the multiple breaches and the fine imposed, they will step up their cybersecurity and data protection efforts.
Steve Eckersley, Head of enforcement at the ICO, said that the university, as a data controller: “is responsible for the security of data throughout the institution.”
He went on to say: “Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine.”
If you have been affected by a University of Greenwich data breach and you have yet to speak to us about whether you may be entitled to data breach compensation, please contact our team as soon as you can.
We are representing victims of University of Greenwich data breaches, and given the course of the claims we are running so far, we are confident we can bring claims to a successful conclusion, and we’re offering our representation on a No Win, No Fee basis.