Fort Lauderdale, Florida - The UK Information Commissioner’s Office has fined the University of Greenwich £120,000 ($160,000) for leaving a server that linked to a school database unsecured. The university’s response: we forgot that server even existed.
Here’s how everything transpired. Way back in 2004 at an academic conference hosted by the University’s Computing and Math School (CMS), a student was asked to create a microsite. The site included a feature for academics to upload documents anonymously via URL. Remember that detail because it will be important later. After the conference nobody shut down the server. So it just sat there, only instead of becoming sentient like mayonnaise does when you leave it in a refrigerator that long, the server just puttered on, missing crucial patches and updates, and probably collecting dust until 2013 when an enterprising hacker discovered it and made use of that anonymous upload feature to breach it.
That went unnoticed, too.
It also went unnoticed in 2016 when hackers used SQL flaws and some PHP exploits to breach the University’s network several more times.
While the microsite itself was worthless to the intruders, the database it was linked to was worth quite a bit. That’s because it contained personal data on over 19,500 people affiliated with the university, including students, staff, alumni and even conference attendees. More than just run-of-the-mill personal data, the database also contained more sensitive categories of personal data, too – things like learning disabilities, medical issues and extenuating circumstances provided by students to satisfy absences and missed exams.
In the end it was one of the hackers him or herself that tipped everyone off to the breach when the data got posted to Pastebin.
A cautionary tale for GDPR compliance
Ok, so that’s an embarrassing mistake for a university to make, but frankly it’s not inexplicable. For larger enterprise organizations and institutions like universities with massive digital infrastructures, this sort of thing isn’t unheard of. That’s why this makes for a good cautionary tale as we are just days away from the EU’s General Data Protection Regulation becoming enforceable. Here is what the UK Information Commissioner’s Office said regarding the $160,000 fine:
Whilst the microsite was developed in one of the University’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution.
You can toss the first half of that sentence out as it’s merely a polite concession. No, unlike a mullet the business part of this statement is in the back. As a data controller your are responsible for the security of all the data throughout your organization. There is a lot of ambiguity within the GDPR, but not about this. Ignorance is not an excuse that the DPAs – like the UK ICO – are going to abide.
And moving forward, the penalties are really getting cranked up. 120,000 Euros is going to seem quaint compared to the £10,000,000-£20,000,000 (or 2-4% of Total Revenues) that a violation like this under the GDPR would be worth.
Here’s the other thing, there will likely be ne’er-do-wells looking to exploit exactly these sorts of situations, by finding forgotten about IPs and either breaching them or extorting their owner with threats of reporting them to their DPA. Not that they weren’t already doing that, but the GDPR provides even more leverage.
So, with just days before the GDPR becomes enforceable, take the time to do one last sweep, making sure to take stock of everything – even legacy sites or servers that have been deprecated from use.
Because forgetting anything could end up being extremely costly.