The University of York has received the results of an investigation undertaken by the Information Commissioner’s Office (ICO) into the mass data breach that occurred earlier this year. The ICO has concluded that the University failed to close a test area of its website, which led to a breach of the Data Protection Act and allowed students to access the information contained within (including names, addresses, phone numbers and A-Level results) for over a year after the breach first occurred in September 2009.
In an official statement released by the ICO, Director of Operations Simon Entwisle said: “We recognise that people can make mistakes when handling data,” but went on to add that the breach could have been avoided had the University “properly assessed the risks that this work posed to the security of their students’ details.” The delay in rectifying the error, according to the ICO, was caused by the University’s failure to test the security of their IT system once work had been completed.
Entwisle’s statement went on to say that despite the prolonged nature of the data breach, the “information made available wasn’t likely to cause the students substantial damage or distress.” For this reason, the ICO has confirmed that the University will not be subject to a fine. The ICO are now “satisfied that the University of York has taken action to improve the security of its IT system, including carrying out regular testing.” The University released an official statement in response to the ICO’s findings, in which it claims that it has “taken a number of steps to improve…the security of its systems” and that the changes it makes will “result in a new structure and culture of information governance within the University.” These changes will include annual “penetration and vulnerability testing on systems where personal data is stored.”
The University has confirmed that Vice Chancellor Brian Cantor has signed a Letter of Undertaking reaffirming the institution’s commitment to the security of personal data.
The ICO has also announced that it will be launching a Student Brand Ambassador campaign in the coming months, which it hopes will help to spread the word on how students can exercise their rights under the Data Protection Act, for which fifteen students from universities across the country will act as ambassadors.