In May 2018, the university disclosed that it had been fined by the UK Information Commissioner for a data breach involving 19,500 people in what was believed to have been the first fine issued to a university under the Data Protection Act 1998 after the university failed in this duty following a training conference in 2004.
A microsite had been developed dedicated to the training event which logged information from both staff and students, this website was not secured or closed down afterward. Threat actors (some of which included former students who had been asked to leave the university) first exploited a vulnerability in the domain in 2013 to access areas of the web server and posted what they discovered on the dark web. The exposed data included names, addresses, dates of birth, phone numbers, signatures and, for some, physical and mental health problems.
Want to discuss this case? You can purchase a 30 minute conference call with our analysts to discuss this case and the implications it has for your organisation. Just select the time and date that works for you:
We've done the analysis so you can make the decisions