In May 2018, the university disclosed that it had been fined by the UK Information Commissioner for a data breach involving 19,500 people in what was believed to have been the first fine issued to a university under the Data Protection Act 1998 after the university failed in this duty following a training conference in 2004.
A microsite had been developed dedicated to the training event which logged information from both staff and students, this website was not secured or closed down afterward. Threat actors (some of which included former students who had been asked to leave the university) first exploited a vulnerability in the domain in 2013 to access areas of the web server and posted what they discovered on the dark web.
The exposed data included names, addresses, dates of birth, phone numbers, signatures and, for some, physical and mental health problems.
Want to discuss this case? We're offering a FREE 20 minute phone consultation to discuss this case and the implications it has for your organisation. Just select the time and date that works for you:
If you'd rather we did the heavy lifting in developing a cyber incident response plan or lessons learnt training for your organisation underpined by our unique insight into the challenges faced and strategies implemented by organisations countering today's cyber security threats then please contact us here.