Warwick University has reportedly kept secret from staff and student data breaches to its infrastructure.
According to reports from Sky News, the problem happened when a member of staff installed remote-viewing software allowing cyber-criminals to steal sensitive personal information on students, staff and even people taking part in research studies.
An earlier report found that security was so poor at the educational institution that it could not identify what data had been stolen.
Several sources informed Sky News that the university’s registrar and executive lead for data protection, Rachel Sandby-Thomas, failed to inform individuals or research bodies about the breaches. Sandby-Thomas has been the executive lead for IT and data protection at the university since 2016.
A voluntary audit of the university by the ICO, published in March, found several flaws in its security systems. The University did not undertake coordinated actions in response to persistent security issues, for example having continuous monitoring at DPPG, detailing an action plan with cross-departmental procedures, and swift drafting and deployment of policy reinforced by training and awareness.
The ICO also found that Warwick had not mandated information governance training across departments, did not provide data protection training to departments that processed data covered by GDPR, and did not offer additional training to staff who were involved in security incidents.
In a meeting following the ICO audit, the regulator recommended that Sandby-Thomas should be removed as chair of the university’s data protection privacy group (DPPG).
In a statement to Sky News, Warwick University said that the “registrar fully agreed with the report’s finding that we should give those areas of responsibility to someone with a specialist skill set and experience.”
Laurie Mercer, security engineer at HackerOne, told SC Media UK that Warwick is “missing a trick” in not harnessing student power to help shore up security.
“The National University of Singapore has run a number of successful challenges whereby students are invited to test their skillsets and find vulnerabilities in the university’s network. The last one saw 13 valid vulnerabilities reported, and the students benefited from monetary rewards with more than £3,600 being paid to students,” he said.
Robert Meyers, channel solutions architect and fellow of information privacy at One Identity, told SC Media UK that the highlights an ambiguity between Articles 33 and 34 of the GDPR.
“There is no leeway for communications to a supervisory authority, the rule is 72 hours. However, article 34 is where the treatment of impacted individuals gets messier. The quote from the GDPR is, “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay”, so what defines high risk? There are no rules here, and this is an area that is a failure in the GDPR when it comes to individuals. There should have been communications, however, there is too much ambiguity when there is no timeline, nor is there a definitive requirement to notify the individual,” he said.