Close Menu
  • Home
  • Articles
    • Attacks
      • BEC
      • Data Breach
      • DDoS
      • Evasion Attacks
      • Injection
      • Malware
      • MITM
      • Phishing
      • Ransomware
      • RCE
      • Social Engineering
      • Spoofing
      • Spyware
    • Business and Policy
      • BCP and DRP
      • GRC
      • Regulations
    • Data Protection
      • DLP
      • DRM
      • Encryption
      • IAM
    • Future, Trends and Insight
      • AI
      • Events & Community
      • Emerging Tech
      • Expert Panel
      • Interviews With Experts
      • Insights
      • Study & Research
    • Resources
      • Guides
      • Tools
      • Training & Education
    • Security
      • API
      • Apps
      • Cloud
      • Critical Infrastructure
      • Endpoint
      • Hardware
      • IoT
      • Mobile
      • Network
      • OT
      • Port Security
      • Security Architecture
      • Software Development
      • Supply Chain
      • Zero Trust
    • Threats and Vulnerabilities
      • Emerging Threats
      • Insider Threats
      • Risk Management
      • Threat Intelligence
      • Zero Day
  • News and Exclusives
    • Latest News
    • ISB Exclusive
    • Positive News
  • Who We Are
    • About Us
    • Information Security Buzz Expert Panel​
    • Write for Us
    • Media Pack
  • Contact Us
  • Newsletter
Facebook X (Twitter) LinkedIn
Facebook X (Twitter) LinkedIn
Information Security BuzzInformation Security Buzz
  • Home
  • Articles
    • Attacks
      • BEC
      • Data Breach
      • DDoS
      • Evasion Attacks
      • Injection
      • Malware
      • MITM
      • Phishing
      • Ransomware
      • RCE
      • Social Engineering
      • Spoofing
      • Spyware
    • Business and Policy
      • BCP and DRP
      • GRC
      • Regulations
    • Data Protection
      • DLP
      • DRM
      • Encryption
      • IAM
    • Future, Trends and Insight
      • AI
      • Events & Community
      • Emerging Tech
      • Expert Panel
      • Interviews With Experts
      • Insights
      • Study & Research
    • Resources
      • Guides
      • Tools
      • Training & Education
    • Security
      • API
      • Apps
      • Cloud
      • Critical Infrastructure
      • Endpoint
      • Hardware
      • IoT
      • Mobile
      • Network
      • OT
      • Port Security
      • Security Architecture
      • Software Development
      • Supply Chain
      • Zero Trust
    • Threats and Vulnerabilities
      • Emerging Threats
      • Insider Threats
      • Risk Management
      • Threat Intelligence
      • Zero Day
  • News and Exclusives
    • Latest News
    • ISB Exclusive
    • Positive News
  • Who We Are
    • About Us
    • Information Security Buzz Expert Panel​
    • Write for Us
    • Media Pack
  • Contact Us
  • Newsletter
Subscribe
Information Security BuzzInformation Security Buzz
Home - News & Analysis - Greenwich University Fined £120,000 For Data Breach, Just Days Before GDPR Implementation
News & Analysis

Greenwich University Fined £120,000 For Data Breach, Just Days Before GDPR Implementation

ISBuzz TeamBy ISBuzz TeamMay 25, 2018Updated:December 4, 20244 Mins Read
Share LinkedIn Twitter Facebook Copy Link Email
Share
Facebook Twitter LinkedIn Email Copy Link
Quick AI Summary
ChatGPTClaudeGeminiGrokPerplexityDeepSeekCopilot

The BBC reported The University of Greenwich has been fined £120,000 ($160,000) by the Information Commissioner. The fine was for a security breach in which the personal data of 19,500 students was placed online. The data included names, addresses, dates of birth, phone numbers, signatures and – in some cases – physical and mental health problems. IT security experts commented below.

Mayur Upadhyaya, Managing Director, Europe at Janrain:

“One of the challenges that institutions such as Greenwich University face will be the historic build up of Shadow IT (systems and solutions built and used without central approval) over the last 20 years. In the run up to GDPR, systems such as the Greenwich University microsite would not have come up in a data audit.

“Data audits are a key tool of GDPR readiness, however they are not fit for purpose, and lose value and impact in organisations that may have shadow projects that don’t sit under an organisational governance process. There could be hundreds of brands, institutions and organisations that believe they have used best endeavours to protect the rights of data subjects, but could have gaps unbeknown. Shadow IT poses a greater risk as we become a more regulated society to both data subjects and businesses alike.”

Simon Cuthbert, Head of International at Protected Networks:

“This is a typical insider breach – a case of ‘Over Privileged Access’, individuals having access to folders and data that they do notneed. This comes from

access permissions not being revoked or poorly managed. Whilst this isn’t really anyone’s fault, it boils down to the issue of not having the visibility of who has access to what data, and what they are doing with it.

Access rights should be a priority for anyone responsible for the security of PII and sensitive data. With GDPR coming into force in a matter of days, the role of the Data Controller is going to be extremely difficult unless the right systems are in place to enable visibility and control of data access.”

Andy Norton, Director of Threat Intelligence at Lastline: 

“Clearly the UK Information Commissioner is not in alignment with GDPR about what is proportionate and reasonable as a fine…Nearly 20,000 people had their personal information stolen and dumped out on a pastebin site. The ICO office said that the university did not implement appropriate technical or organisational measures and had overlooked the requirement to have a robust technical implementation. If the university pay early the fine is reduced to £96,000, but had it been set next week the fine would of been 10 million or more, given the lack of safeguards in place.”

Patrick Hunter, EMEA Director of One Identity and Greenwich University Alumni:

“The breach, discovered 2016, shows us that the ICO takes our data protection very seriously.  In this particular case it is interesting that there was no real breaking in through layers of firewalls and tackling account privileges, but the data was left in plain sight.  It highlights the role of the Data Controller, in the case the University of Greenwich, and the responsibilities they have to the care of their students.   If you have someone’s private data, you are responsible and accountable for it.

“The University states it has put in significant measures to prevent such data losses in the future but they also, rightly, say they aren’t immune to further attacks.

“At the very least though, organisations need a Data Loss Prevention policy in place coupled with procedures and policies to protect the accounts that traditionally get abused in order to obtain access to the data.  If you control who has access to student personal records then you can track who does what with it.  The ability to  bulk copy that amount of personal data without any form of governance is unheard of today (or it should be!), but 13 years ago it seemed to be easy and the University has owned up and is paying the fines.

“Know who has access and know what they are doing with it at all times.  These same accounts are the targets of the hackers and if they can get access easily, then the fines are going to mount up.  Lock those passwords away, don’t let anyone know what they are until they need to check them out.  Grant the right people the right level of privilege and check in every now and then as to whether they should still have that level of entitlement.  Governance and regulations are not there to be passed and forgotten, but to be on-going processes to protect the users and data from being stolen.”

ISBuzz Team
  • ISBuzz Team
    Air Canada Data Breach: BianLian Extortion Group Claims A Massive Heist Contrary To Airline’s Earlier Statement
  • ISBuzz Team
    Unprecedented DDoS Attack Rocks The Web: Tech Giants Reveal A Digital Tsunami
  • ISBuzz Team
    CISA Flags High-Severity Adobe Acrobat Reader Flaw Amid Active Exploits
  • ISBuzz Team
    Curl Security Alert: Patching A Critical Bug Averting Potential Cyber Catastrophe

The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.

Share. Facebook Twitter LinkedIn Email Copy Link

Related Posts

Exploited Faster, Patched Slower: Verizon DBIR 2026 Shows Security Teams Losing Ground

May 20, 20265 Mins Read

Security’s Blind Spot: The Threats Hiding in “Low-Severity” Alerts

May 6, 20265 Mins Read

Visual data is the blind spot in enterprise security: that’s about to change

May 4, 20267 Mins Read
ISB-Bora-Side-Bar

 
ISB-Bora-Side-Bar
Black ISB Logo

Information Security Buzz is an independent resource that provides the experts’ comments, analysis, and opinion on the latest Cybersecurity news and topics

X (Twitter) LinkedIn Facebook RSS

Working With Us

  • About Us
  • Advertise With Us
  • Contact Us

Write For Us

  • How To Contribute

The Pages

  • Privacy Policy
  • Cookie Policy
  • AI Policy
  • Terms & Conditions
  • Copyright Notice

Information Security Buzz and all its contents are copyright © 2014-2025. All rights reserved. All third-party trademarks are recognized.

Type above and press Enter to search. Press Esc to cancel.

Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}