The University of Greenwich has been fined £ 120,000 by the UK Information Commissioner for a serious data breach involving about 20,000 people.
On Monday, the UK regulator said the fine was the first issued to a university under the Data Protection Act of 1998.
Under the current data protection rules of the United Kingdom, information controllers – such as the university – are required to take reasonable measures to protect the data.
However, regulators say (.PDF) that the University of Greenwich failed in this duty after a training conference in 2004.
The conference was held at the then School of Computer Science and Mathematics of the University. A microsite was dedicated to the training event that recorded the information of both staff and students, and this website was not secured or closed afterwards.
Three years later, the threat actors exploited a vulnerability in the domain to access areas of the web server. As a result, information that includes names, addresses and telephone numbers belonging to 19,500 people including students, staff and alumni was compromised.
To make matters worse, data belonging to approximately 3,500 of these individuals and exposed through the server included confidential information such as details about the disease, learning difficulties and "extenuating circumstances", according to the regulator.
This information was filtered online.
"Students and staff members had the right to expect their personal information to be kept secure and this serious violation would have caused significant distress," said Steve Eckersley, Application Manager at ICO. "The nature of the data and the number of people affected have informed our decision to impose this level of fine."
The ICO research revealed that the microsite was developed without the university, as an institution, knowing at that time, since the department was decentralized. However, this does not eliminate the general responsibility of the university.
The ICO believes that there were no adequate technical and management systems that would be defined as "reasonable" data protection efforts. Therefore, the fine was imposed.
With the deadline of the General Data Protection Regulation (GDPR) of May 25, 2018 a few days away, the consequences in the future for lax security and poor data protection will be stricter. However, the trip has already proved difficult for organizations.
A recent IBM study suggests that while many companies believe that GDPR could become a force for good in terms of privacy and data collection constraints, only 36 percent of organizations believe they will be ready on time.
See also: DoJ accuses Iranian hackers of stealing data from 144 American universities
In response to the decision, the university accepted the responsibility and plans to pay the fine immediately, which will reduce the amount owed to £ 96,000.
"Since 2016, we have taken a number of significant steps to improve our data protection procedures," the university added. "We take this very seriously, and would like to apologize again to those who may have been affected."