Britain’s Information Commissioner's Office (ICO) has fined the University of Greenwich £120,000 for a security breach exposing data on almost 20,000 people.
The fine was imposed under an old law—the Data Protection Act enacted in 1998. This is the first university to be hit with a fine.
The action concerns a microsite developed by a teacher and student at the Computing and Mathematics School for a training conference in 2004.
The site was not closed down and secured after the event, leading to compromise in 2013 and exploitation by multiple hackers in 2016, the ICO contended.
In addition to identifiers, the exposed data included details on learning difficulties and staff sickness records on some people, according to the ICO.
”Whilst the microsite was developed in one of the University’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution,” states Steve Eckersley, head of enforcement for the ICO.
The ICO said it would reduce the penalty by 20% to £96,000 if the University pays by June 15 and foregoes an appeal.
In another action, a recruiting consultant was fined for unlawfully taking data from his employer.
The consultant, Daniel Short, left VetPro Recruitment last October and started VetSelect. He took data from VetPro’s database on 272 individuals, the ICO alleged.
Short pleaded guilty to unlawfully obtaining personal data under section 55 of the Data Protection Act 1998, and was fined £355 plus costs of £700 and a victim surcharge of £35, according to the ICO.