University of Hertfordshire avoids data breach action by UK watchdog

The ICO is taking no further action despite student information being inappropriately shared.
Written by Charlie Osborne, Contributing Writer

The University of Hertfordshire has avoided an investigation by the ICO into its data-sharing practices after exposing student information.

The security incident took place in November 2019, in which a bulk email promoting an art lecture also included an attachment containing the names and email addresses of approximately 2,000 students. 

Once the university realized its mistake, the email was recalled -- but the damage was done. 

See also: Chinese hackers use decade-old Bisonal Trojan in cyberespionage campaigns

Under the terms of the EU's General Data Protection Regulation (GDPR), breaches of this nature have to be reported to the UK's Information Commissioner's Office (ICO), a step taken by the academic establishment. 

The University of Hertfordshire said at the time it took data protection "extremely seriously" and had reviewed its processes in light of the breach, as reported by the BBC. Improved staff training is also now in force. 

The university said the ICO has now reviewed the case and "decided that it was not necessary to investigate further."

An ICO spokesperson added, "people have the right to expect that organizations will handle their personal information securely and responsibly [...] after looking at the details, we provided the organization with advice and concluded no further action was necessary."

CNET: Clearview AI facial recognition app maker sued by Vermont

The data breach may be small, but the University of Hertfordshire was lucky to escape without further censure or a fine. Over 160,000 data breach reports have been made since GDPR came into force in 2018 and hefty fines have already been issued to companies including British Airways and Marriott Hotels for security failures. 

It is estimated that only one in three businesses are fully GDPR compliant. 

TechRepublic: Cyberattackers are delivering malware by using links from whitelisted sites

In this case, students were not compensated. However, a 2017 data breach which occurred at the University of East Anglia in Norwich cost the institution £140,000 ($181,000) in damages. 

The university sent emails to students containing their peers' confidential information, reportedly including notes on suicidal thoughts, family issues, and sexual assaults. 

10 worst hacks and data breaches of 2019 (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards