The University of Greenwich has received a fine of £120,000 because of the substantial damage and substantial distress caused by a security breach that exposed the personal information of 20,000 people.
It’s called “Shadow IT”, and it’s a problem that has now cost a British university £120,000 (over US $160,000) following a serious security breach.
“Shadow IT” is the phenomenon whereby staff inside your organisation take it upon themselves to perform duties that should really be carried out by the legitimate IT department. Maybe staff in your marketing department, for instance, are frustrated that the IT team cannot build them a microsite in time for a campaign – and so they take it upon themselves to build their own.
The problems are obvious to anybody who has worked in IT security. Who will ensure that the microsite built by the marketing department will be properly configured, won’t harbour vulnerabilities, will be properly patched as new exploits come to light…?
And that appears to be pretty much what happened at the University of Greenwich in London.
Back in 2004, the University of Greenwich allowed a student and an academic to build a bespoke microsite on a webserver. The microsite allowed delegates at a training conference to upload their papers.
However, the microsite was not removed or updated with security patches after the conference was over.
Nine years later, in 2013, the microsite was first compromised.
And then, in 2016, the microsite was attacked on multiple occasions by hacker who exploited SQL injection vulnerabilities to gain access to an account with sufficient privileges to upload known PHP exploits.
As the Information Commissioner’s Office (ICO) describes in its official report, the hackers were now able to access other areas of the web server, including databases containing personal information (such as names, addresses, phone numbers, and email addresses) of approximately 20,000 students, alumni, staff, external examiners, applicants, and event attendees.
Some of those individuals compromised also had sensitive details of their physical or mental health problems, learning difficulties, and staff sickness records exposed.
Stolen data were posted by the attacker on Pastebin shortly afterwards to publicise the attack; however, it appears the University first realised there had been a breach on June 8, 2016.
In its findings, the ICO found that the university had failed to put in place appropriate technical and organisational measures to ensure – as far as possible – that a security breach would not occur.
The ICO’s Steve Eckersley explained that the University of Greenwich had received a fine of £120,000 because of the substantial damage and substantial distress caused by the breach:
“Whilst the microsite was developed in one of the University’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution.
“Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine.”
Let this be a lesson to other organisations. Keep a very careful eye on what your staff may be doing without your knowledge, and ensure that any IT project had proper supervision to ensure that it is built securely, maintained and – as appropriate – closed down responsibly if no longer required.
The ICO has said that if the University of Greenwich pays its fine by June 15, 2018 and turns down its right to appeal, it will reduce the penalty by 20% to £96,000 (US $130,000).