A data breach at the University of Surrey Sports Park has hit 90,000 people after a password was published online by a software supplier in what is being classed as an “employee error”.
The University has reportedly contacted members, staff and students to inform them of the data security issue, where details like birth dates, bank details, health information and contact particulars was at risk of exposure due to the publication of the password. A “sincere apology” has been issued, and victims of the breach are being asked to remain vigilant.
The data breach has been reported to the Information Commissioner’s Office (ICO). It is unknown as to whether any information was illegally accessed, and the University consider the risk caused by the data breach as low.
The CEO of Surrey Sports Park, Karen Rothery, said in a statement:
“We are very disappointed to learn of this issue… [the University was] taking a precautionary approach to this situation to ensure that our members are protected.”
Simple acts and catastrophic consequences
Although the reports of this incident suggest that the risk is low and that information has not been stolen, the data breach is another classic example of a simple error that can lead to devastating problems.
Human error accounts for a large proportion of data breach cases, and as seen in this case, the simple act of accidentally publishing a password can give easy access to fraudsters and criminals to do some very serious damage.
Take the 56 Dean Street cases we are dealing with as another example.
Emails sent in error to almost 800 people where the list of recipients was not masked or guarded led to a monumental breach of data protection rules.
Data protection goes above and beyond training when we have systems and software we can use to properly protect the data we are responsible for safeguarding.
This incident appears to be a near-miss, unless the data was accessed or downloaded before it was made secure. As with many data breaches of this nature, only time will tell…