The BBC reported The University of Greenwich has been fined £120,000 ($160,000) by the Information Commissioner. The fine was for a security breach in which the personal data of 19,500 students was placed online. The data included names, addresses, dates of birth, phone numbers, signatures and – in some cases – physical and mental health problems. IT security experts commented below.
Mayur Upadhyaya, Managing Director, Europe at Janrain:
“One of the challenges that institutions such as Greenwich University face will be the historic build up of Shadow IT (systems and solutions built and used without central approval) over the last 20 years. In the run up to GDPR, systems such as the Greenwich University microsite would not have come up in a data audit.
“Data audits are a key tool of GDPR readiness, however they are not fit for purpose, and lose value and impact in organisations that may have shadow projects that don’t sit under an organisational governance process. There could be hundreds of brands, institutions and organisations that believe they have used best endeavours to protect the rights of data subjects, but could have gaps unbeknown. Shadow IT poses a greater risk as we become a more regulated society to both data subjects and businesses alike.”
Simon Cuthbert, Head of International at Protected Networks:
“This is a typical insider breach – a case of ‘Over Privileged Access’, individuals having access to folders and data that they do notneed. This comes from
access permissions not being revoked or poorly managed. Whilst this isn’t really anyone’s fault, it boils down to the issue of not having the visibility of who has access to what data, and what they are doing with it.
Access rights should be a priority for anyone responsible for the security of PII and sensitive data. With GDPR coming into force in a matter of days, the role of the Data Controller is going to be extremely difficult unless the right systems are in place to enable visibility and control of data access.”
Andy Norton, Director of Threat Intelligence at Lastline:
“Clearly the UK Information Commissioner is not in alignment with GDPR about what is proportionate and reasonable as a fine…Nearly 20,000 people had their personal information stolen and dumped out on a pastebin site. The ICO office said that the university did not implement appropriate technical or organisational measures and had overlooked the requirement to have a robust technical implementation. If the university pay early the fine is reduced to £96,000, but had it been set next week the fine would of been 10 million or more, given the lack of safeguards in place.”
Patrick Hunter, EMEA Director of One Identity and Greenwich University Alumni:
“The breach, discovered 2016, shows us that the ICO takes our data protection very seriously. In this particular case it is interesting that there was no real breaking in through layers of firewalls and tackling account privileges, but the data was left in plain sight. It highlights the role of the Data Controller, in the case the University of Greenwich, and the responsibilities they have to the care of their students. If you have someone’s private data, you are responsible and accountable for it.
“The University states it has put in significant measures to prevent such data losses in the future but they also, rightly, say they aren’t immune to further attacks.
“At the very least though, organisations need a Data Loss Prevention policy in place coupled with procedures and policies to protect the accounts that traditionally get abused in order to obtain access to the data. If you control who has access to student personal records then you can track who does what with it. The ability to bulk copy that amount of personal data without any form of governance is unheard of today (or it should be!), but 13 years ago it seemed to be easy and the University has owned up and is paying the fines.
“Know who has access and know what they are doing with it at all times. These same accounts are the targets of the hackers and if they can get access easily, then the fines are going to mount up. Lock those passwords away, don’t let anyone know what they are until they need to check them out. Grant the right people the right level of privilege and check in every now and then as to whether they should still have that level of entitlement. Governance and regulations are not there to be passed and forgotten, but to be on-going processes to protect the users and data from being stolen.”