Why is privacy protection not possible without good IG?

Universities are not immune to data breaches. Recently, Greenwich University was fined £120 000 for disclosing the data of 20 000 students and staff on a microsite developed specifically for a conference. It is the first fine for a University under the Data Protection Act. (Incidentally, the UK hasn’t adopted the EU GDPR yet, but they are saying that they will do so post-Brexit.)

A couple of noteworthy things about the Greenwich breach:

  • The microsite was developed without the University’s knowledge by an academic and a student. This is not unusual in my experience at South African universities where microsites are often not well-controlled even though they collect personal information. The University is held accountable nonetheless as the responsible party. 
  • The microsite contained some obvious vulnerabilities. These were exploited some three years after the conference and allowed attackers access to a database of about 19 500 records. About 3 500 of the records contained sensitive information relating to health issues, assessment offences, and learning difficulties.
  • Here were the specific things the University was fined for:
    • The University was not aware that its infrastructure included a microsite that was vulnerable to a SQL injection attack, with access to underlying databases. The kind of attack is relevant, because the Information Commissioner’s Office (ICO) had in the past issued a guidance on how to secure online services that specifically addressed SQL injection flaws, as well as the danger of keeping legacy sites live.
    • The University did not identify the possible risks to its wider network and underlying systems.
    • The University did not ensure that the microsite was decommissioned since it was no longer necessary, or that the microsite was otherwise made secure.
    • The University did not undertake appropriate proactive monitoring and testing activities to discover vulnerabilities.
  • Here is a link to the ICO’s decision: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/05/the-university-of-greenwich-fined-120-000-by-information-commissioner-for-serious-security-breach/
  • Here is an article on the breach: http://www.bbc.com/news/technology-44197118

Copyright © University of Pretoria 2024. All rights reserved.

FAQ's Email Us Virtual Campus Share Cookie Preferences