igor - Fotolia

University of Greenwich data breach highlights the dangers of insider threats

A personal data breach at the University of Greenwich highlights the repercussions for organisations that fail to review what they publish online

The University of Greenwich's accidental publication of the personal data of students highlights the need to focus on people, as well as technology and processes, to ensure security and privacy.

Students' names, addresses, dates of birth, mobile phone numbers, signatures and health problems were all uploaded to the university's website, according to the BBC, which first reported the breach.

The information was posted with minutes taken from the university's Faculty Research Degrees Committee, which oversees the registrations and progress of its research students, the report said.

The university apologised, took the documents offline and is working with Google to delete cached versions. It is contacting all the students affected by the data breach.

The university said it was conducting an investigation as part of a “robust review” of the incident, and pledged to publish the findings and recommendations.

Legal and security experts said the incident highlighted not just the risks of human error, but the repercussions for organisations that fail to review what they published online.

Financial penalties

Under the coming European Union (EU) General Data Protection Regulation (GDPR), organisations could be fined up to €20m for serious breaches of the rules, which are expected to come into force in 2018.

But legal experts said the breach appeared to constitute a breach of the UK Data Protection Act, which may result in the Information Commissioner’s Office (ICO) issuing a monetary penalty.

The ICO – which can issue penalties of up to £500,000 – confirmed that it was aware of the incident at Greenwich University, but said its investigation was still at a very early stage.

Legal experts said the university may also be hit by claims by students affected by the breach.  

It is not clear how the information came to be published – but the university described it as a “serious error”, in breach of university policies and procedures.

“It is clear that, in this case, there has been a breakdown in either policy, procedure or both,” said Michael Hack, senior vice-president of European operations at secure data transfer firm Ipswitch.

“Whether private or public sector, when it comes to securing, storing and sharing confidential data, organisations must make sure they have the right policies and process in place – but this includes using secure data management and transfer technologies, security systems and most importantly, providing essential staff training across the board.”

Increase in sensitive data

These types of accidental breaches should be avoided by educating security professionals and users alike on a best practice cyber security code, said Richard Beck, head of cyber security at training company QA.

“This will minimise the risk of falling victim of a cyber security incident – whether intentional or accidental,” Beck said.

Kevin Cunningham, president and founder of identity access management company SailPoint said that, like many organisations, universities today house vastly more sensitive data than in the past.

“Consequently, everyone from the executive level down needs to ensure there is a collaborative effort from internal staff to protect that sensitive information and, ultimately, the health and longevity of the organisation,” he said.

Cunningham said IT can only do so much to protect the internal infrastructure. “But with the right tools in place to put some onus back on the employees they can help alleviate the burden. It falls to the employees and management to ensure that protecting sensitive information is of the utmost importance,” he said.

Organisations must prepare

Matthias Maier, security evangelist at Splunk, said this kind of breach could happen to any organisation.

“What’s important is that organisations are prepared for these types of events, especially when handling sensitive personal data,” he said.

Maier said the incident underlines the importance of establishing incident investigation processes, to help find fast answers as to how the error occurred – and what could be done to prevent a similar breach happening again.

“The best way to do this is to review the historical tracks of data and system access to find out how the information was leaked, whether the right people have access to sensitive data and figure out follow-up actions, to avoid this happening in the future,” he said.

Jason du Preez, CEO of data privacy company Privitar, said that, if users are to have any confidence that their private information will remain private, organisations need to think seriously about how they protect and anonymise users’ data.

“This data breach is not just embarrassing for those involved, it could have really serious financial and personal consequences. We are now in a world where potential privacy harms may have devastating effects – loss of self-determination, loss of trust, discrimination and significant economic loss,” he said.

Reputation and responsibility

Greg Hanson, vice-president of European business operations at Informatica, said that, if companies fail to identify and safeguard sensitive data, they are essentially putting their customer relationships in the line of fire.

“When you consider the impact for an organisation’s reputation, it is simply not a risk worth taking. With the list of data breach victims continuing to grow, organisations need to adopt a data-centric security strategy – and fast,” he said.

Jason Andrew, vice-president for Europe at BMC Software, said that, as demonstrated by the recent Privacy Shield deal ushered in to replace the invalidated Safe Harbour agreement: “We live in the age where data-handling comes with significant responsibility and a higher standard of accountability.

“Whether you are a bank, large business or educational institution- the risks of not taking tangible steps to safeguard customer data are becoming too high.”

Aside from reputational damage and the loss of trust with its students, the University of Greenwich will likely suffer financial penalties for failure to protect sensitive student data, said Andrew, which is becoming commonplace in our digital era.

It is imperative for companies who have suffered a data breach to quickly remediate known vulnerabilities, he said – but the challenge remains to discover, prioritise and fix these vulnerabilities quickly, reduce the risk of being hacked and keep customer information protected.

“Closing this ‘vulnerability gap’ is essential in protecting an organisations’ brand, and will also ensure continued customer confidence in the businesses’ ability to protect their sensitive information,” said Andrew.

Read more on Privacy and data protection