Just a few days before the entry into force of the GDPR, nuisance befell the University of Greenwich. The Information Commissioner's Office (the office of the Information Commissioner - an independent organization for the supervision of compliance with the law in the UK information environment) fined the university £ 120 thousand (at the time of writing this article it was about 136 thousand euros, 160 thousand US dollars, 10 million Russian rubles, 4.2 million Ukrainian hryvnias) for serious vulnerability to security that led to data leakage of almost 20 thousand students and staff. How such a serious university managed to get under the ICO distribution and become the first university fined for violating DPA, and what it teaches us, read under the cut.
It all started back in 2004. Then the university held an academic conference at Computing and Mathematics School (school of computation and mathematics), within which a microsite was created by one of the students. One of its functions was the anonymous download of documents. The conference was held, and the server was simply forgotten. No one has turned it off, formatted it or updated it. He just quietly rustled in the corner for many years (we envy the white envy of the budgets of the university, allowing to forget about the servers and the electricity consumed by them).
Finally, in 2013, i.e. after 9 (!) years, the first hacker got to the server and successfully used the anonymous download function to compromise the microsite. And no one successfully noticed. What is quite predictable - how can you see the hacking on the server, if 9 years haven't paid attention to the server itself? ..
A few more times hackers penetrated the university’s network in 2016, using SQL and PHP vulnerabilities, which at that time had not been updated for 12 years. And again it was noticed far from immediately. They found out about hacking and data dumping only when one of the hackers posted them entirely on Pastebin.
And merged a lot. About 19,500 students, graduates, and university staff, including names, addresses, and telephones, have personal information in public access. As well as more sensitive data of 3,500 people, which included not only excuses for absenteeism, but also data on learning difficulties, diseases, etc.
The university recognized its mistake and made a “general cleaning” in order to significantly increase the security of its internal resources.
What does this teach us?
The situation came out funny, but very instructive. And you can learn from different positions.
In terms of GDPR
Given that the decision was made just a few days before the entry into force of the GDPR, many consider the situation including from the perspective of this directive. In this case, the university is considered as a personal data controller and, accordingly, is responsible for ensuring their security. Even despite the fact that the site was created a long time ago, in one of the university departments and, apparently, without the knowledge of the IT department.
Could be higher and the amount of the fine, if the situation occurred after the entry into force of the new regulations. If, according to the old rules, the ICO can impose fines of up to 500 thousand pounds sterling (about 560 thousand euros), the GDPR implies fines of up to 20 million euros or 4% of the annual world turnover (a larger option).
In terms of large organizations
The more a certain structure, the more difficult it is to keep records. Especially if the structure has enough autonomous units, such as faculties or remote offices / production. But this is no reason to forget about registration.
Responsible IT departments should once again brush up on a couple of simple rules that would allow to avoid such a situation:
- Regularly update the software. In fact, the rule is obvious, even it was embarrassing to write. But in many respects it was his non-compliance that led to the consequences described above.
- Take out the garbage in a timely manner. How often do we create some temporary sites, files, open folders, accounts with primitive passwords to perform one-time one-time tasks? I think many people do that sometimes. But sometimes we forget to remove them immediately after the task is completed, and thus open some kind of security breach. Who knows how soon someone will find your test.php with direct access to the database? ..
If at least someone this article encourages someone to revise their resources, especially those who have served their time, then my day has not been in vain.
For reference
The Information Commissioner's Office is a British organization created to protect and defend information rights in the public interest. It is entrusted with a number of obligations regulated by the Data Protection Act 1998 (Data Protection Act), the Freedom of Information Act 2000 (Freedom of Information Act), Environmental Information Regulations 2004 (Environmental Information Regulations) and Privacy and Electronic Communications Regulations 2003 (Regulations confidentiality and electronic communications).
Among the tasks of the office is the adjustment of the behavior of organizations and individuals collecting, processing and using personal data. He has at his disposal a wide arsenal of mechanisms of influence, from auditing to fines and criminal prosecution. Some cases from their practice may be surprised or even envy.
- Costelloe and Kelly Limited was fined £ 19,000 for sending more than 260,000 spam messages advertising packages for funeral services.
- For spamming unsubscribing users, the Royal Postal Service was fined £ 12,000.
- The Crown Prosecution Service fined £ 325,000 for the loss of unencrypted DVDs of police interrogations concerning the cases of 15 victims of child sexual abuse. And this was the second case of loss of data by the prosecution service. Not only in our mess ...
- Former consultant on employment broke up with more than a thousand pounds for draining data from the database of the employer. And who of you poured repositories or customer bases before leaving the company? ;)
- The biblical community paid hundreds of thousands of pounds for the vulnerability, due to which information about about 417 thousand people supporting the organization was merged. Including information on bank cards and accounts of people who have made donations.
- An employee of the local government education department was fined 1,500 pounds sterling for sending personal data to schoolchildren and their parents via Snapchat. And she didn’t plan anything bad. A separate parent wanted to get some information about his child. But since the camera on the phone does not know how to take only one line of the tablet, the parent got the personal data of 37 students and their parents, including names, addresses, dates of birth and social security numbers. And by the way, she no longer works there.
It remains only to hope that a civilized and respectful attitude towards the data will sooner or later come to our lands.
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends,
30% discount for Habr users on a unique analogue of the entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to share the server? (Options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only we have
2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about
How to build an infrastructure building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?