back to article Greenwich uni fined £120k: Hole in computing school site leaked 20k people's data

The UK's Information Commissioner has slapped a £120,000 fine on the University of Greenwich after a security cockup by its computing and maths school compromised the data of almost 20,000 individuals. The incident occurred after an academic and a student from the then devolved department developed a microsite to facilitate a …

  1. Anonymous Bullard

    Privacy has a price.

    £6 per person.

    1. Anonymous Coward


      That seems about an order of magnitude or two more than most fines... per personal ID leaked!

      In fact, it shows how leaking more customer data is cheaper than leaking less... if they'd protected half those accounts, it would now cost them £12 per person. But if they leaked twice as much, it brings the fine down to £3 each... ;)

      1. Anonymous Coward
        Anonymous Coward

        Re: Wow.

        Talk Talk, £400k for 159959 users, £2.50 per person, so I guess the ICO offers volume discounts.

        1. Anonymous Coward
          Anonymous Coward

          Re: Wow.

          Though the ICO could only have ever fined TalkTalk £500k.

          TalkTalk got a reduced fine because the regulator found them cooperative with the investigation and because they were themselves the victims of a crime.

  2. Anonymous Coward
    Anonymous Coward

    So a computing department

    seems to have no idea what websites it has running on it's network*.

    Shocking, but not surprising I guess.

    Just seems the bad actors were better at scanning for open port 80's than the internal team.

    *I presume it was on a network under their control, not just a random one knocked up on a free hosting site.

    1. Anonymous Coward
      Anonymous Coward

      Re: So a computing department

      Regardless of whether or not they knew about it, the data shouldn't have been released to go on it.

  3. Anonymous Coward
    Anonymous Coward

    Win2k3 Server

    I wonder how many Win2k3 servers they are still running?

    1. Anonymous Coward
      Anonymous Coward

      Re: Win2k3 Server

      They have loads..used to work there few years back

      I know most of the guys still working there now. They'll be having a good old chuckle at this, it's a laugh and just annoying student data who cares is what they'll be thinking.

      They'll be down the Trafalgar Tavern after work having a good old laugh about it....

  4. Sheepykins

    Nice use of GDPR terminology though in this case wouldnt the uni by the controller and the processor?

    At least they got away with a smaller fine than they would have paid under GDPR. 4 days to go before the fun!

    1. Doctor Syntax Silver badge

      "Nice use of GDPR terminology"

      T'other way about. GDPR has inherited from earlier rules such as the previous EU Directive and the earlier DPAs.

  5. Alister

    You can see why there are so many data breaches nowadays, if even those responsible for teaching future developers have no clue about security.

    Is it any wonder that Dev-Ops (Ha) think it's absolutely fine to bung live data into a cloud container and then turn off the default security.

  6. LeahroyNake

    We take these matters extremely seriously and keep our procedures under constant review to ensure they reflect best practice.

    It's the first time that I half believe it... Or not.

    1. Chris G

      For a moment there I thought they were not going to 'Take these matters extremely seriously' but they stuck it in at the end instead of starting with it.

  7. Anonymous Coward

    Cheapest stock photo ever...

    Personal data lost, it's dreadful, no security, GDPR, should know better, yadda, yadda ... now on to the important bit.

    That picture. It looks like the cheapest stock photo ever - no not the price that El Reg stumped up to use it - but the photographer / studio in setting it up. The gowns are made of such thin material I have to wonder if they came from Anne Summers' The Graduate Collection [*]

    * No, I'm not going to search to see if such a thing really exists.

    [icon: a proper coat ->]

  8. IceC0ld

    So a computing department

    wonder if the student responsible for the creation of the microsite can be traced ?

    hopefully he / she isn't involved with anything remotely important, or at the very least the employer may want to know that they have on board a full blown boob in the field of infosec 101

    1. Hans 1

      Re: So a computing department

      hopefully he / she isn't involved with anything remotely important

      Ok, a student made a silly mistake in 2000, years back, when data protection awareness was not really the thing it is today. Again, a student, aka somebody training to become an expert, made a mistake. I guess you are already all-knowing and never make any ?

      An expert is a man who has made all the mistakes which can be made, in a narrow field.

      I would not blame the student, but the university, because, well, that site should have been put to rest two decades ago, almost, when its purpose was fulfilled (the event was over).

  9. Anonymous Coward
    Anonymous Coward

    I've worked in a couple of Uni's - Some have so many VM's, nobody really knows what most of them do anymore. They have PB's of stale data going back years that people are too scared to chuck away. Home areas full of downloaded junk that nobody cleans up.

    Most Uni's have about 20 or so critical business applications, with maybe 200+ on their service portfoliio, yet they have thousands of VM's doing god knows what...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like