Crying over spilled data. Greenwich University and the GDPR.

  • Dropped ice -cream

The University of Greenwich in the United Kingdom was recently fined £120 000 by their Information Regulator, the Information Commissioner’s Office. You can read the full decision here.

Why do we care?

We care because South Africa’s Protection of Personal Information Act (POPIA) is very similar to the General Data Protection Regulation (GDPR) that was implemented in the EU on 25 May 2018.

Currently the POPIA is a very relevant piece of legislation in South Africa. The POPIA will have a far-reaching impact in South Africa, very much like the GDPR has on organisations within the European Union and beyond.

We have been actively involved with training programmes at various South African universities to help them prepare for POPIA. So the Greenwich University matter is especially relevant to us and particularly to South African educational organisations.

How likely is a South African organisation to be fined?

South Africa is reputed to be one of the most vulnerable countries when it comes to cybercrime, and the education and health industries are consistently in the top five most vulnerable to data breach. The fine imposed on Greenwich is a hefty one, and our own Regulator has the power to slap your organisation with an administrative fine of up to R10 million if you suffered a data breach.

What was Greenwich fined for?

An academic staff member and a student developed a microsite for a conference. Attendees could register and upload abstracts and articles for the conference on this microsite.  Unfortunately, the microsite was not decommissioned after the conference. Some three years later, the microsite was targeted by what is called an SQL injection attack. An SQL attack means that malicious files are uploaded onto your system so that hackers can gain access to underlying databases. And that is exactly what happened at Greenwich University.

Hackers gained access to a database of about 19 500 records of not only the conference attendees, but other students and staff too. About 3 500 of the records contained sensitive information relating to health issues, assessment offences, and learning difficulties.

However, Greenwich University was unaware that its IT infrastructure included a microsite that was vulnerable to an SQL injection attack and that this microsite could lead to access to underlying databases.

The relevance of this attack lies therein that the UK regulator had in the past issued a guidance document on how to secure online services that specifically addressed SQL injection flaws and the danger of keeping microsites live after they had served their purpose.

So, what did the UK Information Regulator say?

These are the specific issues that the University was fined for:

  • The University did not exert adequate control over its IT infrastructure, in fact Greenwich University was not even aware that the microsite existed, much less that it was not properly secured.
  • The University failed to identify the possible risks to its wider network and underlying systems.
  • The microsite was not decommissioned after it had served its purpose.
  • The University did not undertake appropriate proactive monitoring and testing activities to discover vulnerabilities.

According to the POPIA, administrative fines of up to R10 million can be payable on the advice of the Regulator, so with this in mind, Universities and other education institutions should take heed.

In case you are wondering whether the GDPR applies to South African organisations, here is our newly updated white paper on the topic.

About the Author:

Elizabeth de Stadler
Elizabeth is the quirky one in the company. She specialises in all things Consumer Law, plain language drafting and designing and delivering training. She prides herself on being slightly out there and bringing a fresh perspective to compliance issues. She has a Masters (cum laude – the nerd) in Consumer Law. Elizabeth met Paul in 2011 and joined Esselaar Attorneys (she is still a senior associate at the firm). In 2013 they founded Novation Consulting together. Elizabeth is a bit of a nerd. She is the editor of the Consumer Law Review (you can get it here for free!) and wrote A Guide to the Protection of Personal Information Act with Paul. She is also the author of Consumer Law Unlocked, a co-author of the hefty Commentary to the Consumer Protection Act and wrote chapters on the Consumer Protection Act in The Law of Contract in South Africa and The Law of Commerce in South Africa. She is currently working with Liezl van Zyl from the Stellenbosch University Language Centre on Plain language legal drafting, which will be published in 2017. Elizabeth loves Lego, sneakers, zombies and white wine. She hates comic sans font, sweet potato and most other attorneys. She is allergic to suits and ‘office shoes’ because of the years she worked at Webber Wentzel. She is very scared of moths. It is a thing – read about it. Want to find out more about Elizabeth? Check her out on LinkedIn. Better yet, contact her on elizabeth@novcon.co.za or (021) 481 8004.