Warwick University has allegedly kept secret from staff & students data breaches to its infrastructure. The breach occurred when an employee installed malware unintentionally.
As reported on Sky News, the problem occurred when a member of staff installed remote-viewing software allowing cyber-criminals to steal sensitive personal information on students, staff & those taking part in research.
Earlier, a report concluded that security was poor at the institution, & that it could not identify what data had been stolen.
Sources told Sky News that the university’s Registrar & Executive Lead for Data Protection, Rachel Sandby-Thomas, did not inform both individuals & research organisations about the breaches. Sandby-Thomas has been, since 2016, the Executive Lead for IT and Data Protection at the university.
After a voluntary audit of the university conducted by the ICO, published in March, several defects in its security systems were then found. The University, as reported, did not undertake ‘coordinated actions’ in response to persistent security issues, e.g. having ‘continuous monitoring’ at DPPG, ‘detailing an action plan with cross-departmental procedures’, & ‘swift drafting & deployment of policy reinforced by training & awareness.’
The ICO has also discovered that Warwick had not made compulsory information governance training across departments, did not provide data protection training to departments that processed data covered by GDPR, & also did not offer additional training to those staff who became involved in security incidents.
After a meeting that followed the ICO audit, the regulator then recommended that Sandby-Thomas should be removed as Chair of the university’s Data Protection Privacy Group (DPPG).
In a statement released to Sky News, Warwick University responded that the “registrar fully agreed with the report’s finding that we should give those areas of responsibility to someone with a specialist skill set and experience.”
Laurie Mercer, Security Engineer at Hacker One, said Warwick is “missing a trick” in not utilising students to help ‘beef-up’ security.
National University of Singapore
“The National University of Singapore has run a number of successful challenges whereby students are invited to test their skillsets and find vulnerabilities in the university’s network. The last one saw 13 valid vulnerabilities reported, & the students benefited from monetary rewards with more than £3,600 being paid to students,” he informed.
Robert Meyers, Channel Solutions Architect & Fellow of Information Privacy at One Identity, explained further that this brings to light a very obvious ‘ambiguity’ between Articles 33 & 34 of the GDPR.
“There is no leeway for communications to a supervisory authority, the rule is 72 hours.
However, Article 34 is where the treatment of impacted individuals gets more complex. The wording from the GDPR is as follows, “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay” However, the problem is what actually defines ‘high risk?’
There are not firm rules here, & this is clearly an area that is a failure in the GDPR as applied to individuals. There should have been communications, however, there is too much ambiguity when there is no timeline, nor is there a definitive requirement to notify the individual,” he observed.
It is hoped that the relevant authorities will act in order to fully clarify the rules.