Wednesday, 16 March 2011

University of York exposes 17,000 student's private information.

Due to a vulnerability on their website, the University ended up leaking 17,000 student's private information including:

Name and addresses

Phone numbers

A level results

Names of next of kin

The ICO have been informed but I don't hold hope of them doing much.

Questions to ask:

Why was private data on a public website

When was the last time the site was pen-tested

When was the last time the server's OS and webserver were patched.

Lets hope the ICO do get serious about such breaches.

The problem with the ICO is that the Data Protection Act they have to police has not been implemented correctly in line with the EU Data Protection Directive. Also the ICO is not sufficiently independent from Government to actually be a real threat or to be taken seriously.

There might be a simple fine here and all the University will simply pay it and move on. If on the otherhand there was a criminal conviction attached to the breach of the DPA like they do for the Health and Safety Law then Data Owners would take looking after data a lot more seriously.

The European Court of Justice is considering taking infraction proceedings against the UK for failing to implement the Data Protection Directive, personally the sooner this happens the better as this will force the overhaul of the Data Protection Act in the UK.

No comments:

Post a Comment