Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Friday May 25 2018, @07:28AM   Printer-friendly
from the haxx dept.

A web server set up by an enterprising student for a conference in 2004 and then forgotten about has left the University of Greenwich nursing a £120,000 ($160,000) fine from Britain's Information Commissioner (ICO).

Forgetting about a web server isn't generally a good idea, but this was a particularly dangerous oversight because it had been linked to a database containing the personal data of 19,500 University staff, students, alumni, and conference attendees.

The data also included more intimate personal data of 3,500 people covering learning difficulties, staff sickness, food allergies, and extenuating circumstances put forward by students during their studies.

You can probably guess where this is heading – eventually cybercriminals chanced upon the forgotten server and did their worst.

Source: https://nakedsecurity.sophos.com/2018/05/22/server-what-server-site-forgotten-for-12-years-attracts-hacks-fines/

-- submitted from IRC


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by theluggage on Friday May 25 2018, @04:09PM

    by theluggage (1797) on Friday May 25 2018, @04:09PM (#684064)

    Europe can try to microregulate its way to happiness, but academics there may have to start setting up conference servers in the land of the free to avoid the expense of this compliance regimen.

    As I said - the problem is not the academics' conference servers (worst case: individual sites get defaced and malware'd and have to be deleted) its the confidential staff and student records that shouldn't have been on the same server in the first place.

    Anyway, doesn't matter where the server is located if the data is about EU citizens and you don't want to get banned from doing business in Europe or other countries that value their trade with Europe (about the only thing that is certain about Brexit is that we're stuck with the GDPR).

    The difference between Europe and the Land Of The Free(c)(r)(tm)(pat. pending) is that, if 20,000 sensitive personal details leak onto the internet, instead of getting fined $200k by some eeeevil liberal-infested gubment agency you just get hit with a $1m class-action lawsuit that wlll cost you $200k to fight, even if you win.

    Or go back to mailed letters among the program committee

    Still covered by GDPR...

    GPDR is a major impediment to getting things done for the individual

    Doesn't have to be unless the ICO goes insane and starts "soft-targetting" small fry.

    See this BBC article [bbc.co.uk] which includes some rather more conciliatory comments from the ICO and lawyers as a counter to some of the FUD flying around. TLDNR: a lot of companies and institutions are overreacting. Quote:

    She [the lawyer] said small organisations should relax and apply a simple test: would a person expect to get a message from you?

    ...
    She gives as an example a swimming club. You would expect to get a newsletter about opening times at the pool or meetings. You would not expect your details to be passed without your consent to a company selling swimming costumes.

    I think the worst hit are going to be staff in big institutions like universities - and small companies doing business with them* - who might be saddled with over-cautious one-size-fits-all institutional rules that don't distinguish between promoting an academic conference and interviewing 8-year-olds about gender identity issues.

    (* not many of those left, thanks to the EU rules**1 on "competitive tendering" that are so onerous that public institutions end up signing single-supplier agreements with a few big players)

    (** or rather, one should always add the qualifier, "EU rules as gold-plated by the UK government and then interpreted by the Institution in the way that will justify the greatest expansion of the procurement department")

    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3