The University of Greenwich in the United Kingdom was recently fined £120 000 by their Information Regulator, the Information Commissioner’s Office. You can read the full decision here.
Why do we care?
We care because South Africa’s Protection of Personal Information Act (POPIA) is very similar to the General Data Protection Regulation (GDPR) that was implemented in the EU on 25 May 2018.
Currently the POPIA is a very relevant piece of legislation in South Africa. The POPIA will have a far-reaching impact in South Africa, very much like the GDPR has on organisations within the European Union and beyond.
We have been actively involved with training programmes at various South African universities to help them prepare for POPIA. So the Greenwich University matter is especially relevant to us and particularly to South African educational organisations.
How likely is a South African organisation to be fined?
South Africa is reputed to be one of the most vulnerable countries when it comes to cybercrime, and the education and health industries are consistently in the top five most vulnerable to data breach. The fine imposed on Greenwich is a hefty one, and our own Regulator has the power to slap your organisation with an administrative fine of up to R10 million if you suffered a data breach.
What was Greenwich fined for?
An academic staff member and a student developed a microsite for a conference. Attendees could register and upload abstracts and articles for the conference on this microsite. Unfortunately, the microsite was not decommissioned after the conference. Some three years later, the microsite was targeted by what is called an SQL injection attack. An SQL attack means that malicious files are uploaded onto your system so that hackers can gain access to underlying databases. And that is exactly what happened at Greenwich University.
Hackers gained access to a database of about 19 500 records of not only the conference attendees, but other students and staff too. About 3 500 of the records contained sensitive information relating to health issues, assessment offences, and learning difficulties.
However, Greenwich University was unaware that its IT infrastructure included a microsite that was vulnerable to an SQL injection attack and that this microsite could lead to access to underlying databases.
The relevance of this attack lies therein that the UK regulator had in the past issued a guidance document on how to secure online services that specifically addressed SQL injection flaws and the danger of keeping microsites live after they had served their purpose.
So, what did the UK Information Regulator say?
These are the specific issues that the University was fined for:
- The University did not exert adequate control over its IT infrastructure, in fact Greenwich University was not even aware that the microsite existed, much less that it was not properly secured.
- The University failed to identify the possible risks to its wider network and underlying systems.
- The microsite was not decommissioned after it had served its purpose.
- The University did not undertake appropriate proactive monitoring and testing activities to discover vulnerabilities.
According to the POPIA, administrative fines of up to R10 million can be payable on the advice of the Regulator, so with this in mind, Universities and other education institutions should take heed.
In case you are wondering whether the GDPR applies to South African organisations, here is our newly updated white paper on the topic.