Data breach at York University highlights urgency of security checks, says ICO


Data breach at York University highlights urgency of security checks, says ICO

Warwick Ashford

The University of York's accidental breach of thousands of students' personal data points to a need for improved security checks, according to the Information Commissioner's Office.

The University of York failed to close a test area on its website that contained thousands of students' personal details, said the Information Commissioner's Office (ICO).

The privacy watchdog found the university in breach of the Data Protection Act after finding 148 records were accessed without authorisation in September 2009.

"We recognise that people can make mistakes when handling data - that's why it is so vital that adequate checks and security measures are put in place," says Simon Entwisle, director of operations at the ICO.

The breach could have been avoided, Simon Entwisle said, if the university had assessed the risks posed to the security of their students' data.

The university also failed to test the security of their IT system once the project was complete, delaying remedial action.

The error meant students could access information about their classmates for over a year before the problem was identified and the system secured.

However, the ICO said it was not imposing a monetary penalty, as the breach was unlikely to cause the students substantial damage or distress.

"We are satisfied that the University of York has now taken action to improve the security of its IT system, including carrying out regular testing," said Entwisle.

Brian Cantor, vice-chancellor of the University of York, has signed an undertaking to improve data security at the institution.


Read more to stay out of trouble with the ICO

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy