A web server set up by an enterprising student for a conference in 2004 and then forgotten about has left the University of Greenwich nursing a £120,000 ($160,000) fine from Britain's Information Commissioner (ICO).
Forgetting about a web server isn't generally a good idea, but this was a particularly dangerous oversight because it had been linked to a database containing the personal data of 19,500 University staff, students, alumni, and conference attendees.
The data also included more intimate personal data of 3,500 people covering learning difficulties, staff sickness, food allergies, and extenuating circumstances put forward by students during their studies.
You can probably guess where this is heading – eventually cybercriminals chanced upon the forgotten server and did their worst.
-- submitted from IRC
(Score: 3, Insightful) by theluggage on Friday May 25 2018, @04:09PM
As I said - the problem is not the academics' conference servers (worst case: individual sites get defaced and malware'd and have to be deleted) its the confidential staff and student records that shouldn't have been on the same server in the first place.
Anyway, doesn't matter where the server is located if the data is about EU citizens and you don't want to get banned from doing business in Europe or other countries that value their trade with Europe (about the only thing that is certain about Brexit is that we're stuck with the GDPR).
The difference between Europe and the Land Of The Free(c)(r)(tm)(pat. pending) is that, if 20,000 sensitive personal details leak onto the internet, instead of getting fined $200k by some eeeevil liberal-infested gubment agency you just get hit with a $1m class-action lawsuit that wlll cost you $200k to fight, even if you win.
Still covered by GDPR...
Doesn't have to be unless the ICO goes insane and starts "soft-targetting" small fry.
See this BBC article [bbc.co.uk] which includes some rather more conciliatory comments from the ICO and lawyers as a counter to some of the FUD flying around. TLDNR: a lot of companies and institutions are overreacting. Quote:
I think the worst hit are going to be staff in big institutions like universities - and small companies doing business with them* - who might be saddled with over-cautious one-size-fits-all institutional rules that don't distinguish between promoting an academic conference and interviewing 8-year-olds about gender identity issues.
(* not many of those left, thanks to the EU rules**1 on "competitive tendering" that are so onerous that public institutions end up signing single-supplier agreements with a few big players)
(** or rather, one should always add the qualifier, "EU rules as gold-plated by the UK government and then interpreted by the Institution in the way that will justify the greatest expansion of the procurement department")