The University of York has been severely ticked off by the Information Commissioner’s Office (ICO) for failing to notice that the personal records for thousands of its students were accessible on its website for over a year.
The breach happened by accident in September 2009 after an IT security error allowed records showing names, dates of birth, A-level results, mobile telephone numbers and addresses for several thousand students to become reachable on the university’s website.
In the event, because the records were not linked to directly on the website, only 148 of them were inappropriately accessed but the potential for a serious breach was obvious. Had the scale of the issue become known to visitors, the breach could have had more serious consequences.
Worst of all, the error wasn’t noticed for over a year which suggested poor auditing.
“We recognise that people can make mistakes when handling data. That’s why it is so vital that adequate checks and security measures are put in place,” said ICO director of operations, Simon Entwisle.
“They [the University] also failed to test the security of their IT system once the work was complete, leading to an unnecessary delay in the error being corrected,” he said.
Having escaped a fine on this occasion, the University has now signed one of the ICO’s undertakings in which it promises to improve data security.
The filing cabinets of public sector organisations in the UK are now slowly filling up with such undertakings, and there is some evidence that they work - few organisations come back for seconds.
Private sector companies have also been in the ICO’s sights recently, most notably mobile phone network T-Mobile. The ICO took a lead role in the investigation into the crooked sale of large numbers of customer records to brokers by company insiders.