Personal and financial information of over 90,000 staff and students at the University of Surrey and Surrey Sports Park were potentially compromised after an employee at one of their suppliers published a password that allowed access to such data.
Data compromised by the incident included names, contact details, and dates of birth of staff and students as well as bank account and sort code details of members of Surrey Sports Park who make payments via direct debit. According to the University of Surrey, there is no evidence of such data being accessed or misused by unauthorised third parties.
We have learned that the data security incident also compromised health information of members of Surrey Sports Park which were disclosed by such members at the time of registration.
"We are writing directly to all those who may have been affected by this to make them aware of the potential risk as a precaution. We sincerely apologise to anyone this may have inconvenienced. We immediately protected this data once we were told of this issue and we are reassured that the risks of it having been misused are low," said James Newby, Data Protection Officer at the University.
"We have reported this to the Information Commissioner’s Office, and we encourage all those to whom we have written to remain vigilant, use strong passwords and never give out personal details over the phone," he added.
"We are very disappointed to learn of this issue. Fortunately there is no evidence to suggest that any data has been accessed improperly. The protection of the personal information of all of our members is a top priority for us and we are taking a precautionary approach to this situation to ensure that our members are protected," said Karen Rothery, CEO of Surrey Sports Park.
This isn't the first time that a UK-based university has suffered a data security incident due to the carelessness of employees. In June last year, the University of East Anglia had to issue a public apology after an unforgivable error by one of its staff members resulted in the leakage of sensitive details of 42 students with extenuating circumstances to nearly 300 other students.
A spreadsheet shared by the university with 298 students included details of health problems, personal issues and family bereavements of as many as 42 students. These students had sought extensions and other academic concessions based on these circumstances.
The same university suffered yet another embarrassment in November when one of its employees shared confidential health details of one of its staff members with nearly 300 postgraduate research students via an e-mail, a serious error that attracted the wrath of the University's students' union as well as cyber experts.
"Given the earlier revelations about data breaches of this nature last year, this latest incident is breathtaking and we'd be forgiven for not trusting what are starting to look like hollow reassurances. Students are rightly questioning whether their personal data is safe in UEA's hands and we'll be demanding action at the highest levels in coming days,' said Jack Robinson, campaigns officer at the students' union to the BBC.
Matt Lock, Director of Sales Engineers at Varonis, said that since universities hold sensitive personally identifiable information (PII) and protected health information (PHI) on tens of thousands of students, they have a duty to ensure the security of such data and also to educate their employees and contractors on good cyber hygiene practices.
"The way that personal data is collected and stored is a huge privacy concern, particularly in light of the upcoming GDPR: universities (and individuals) need to keep an eye out on privacy policies and data gathering in order to consistently meet business policy and security requirements.
"Exposed personal data can be a huge vulnerability - not only an abuse of personal data privacy, but can be leveraged to breach more secure systems and put critical data at risk,' he added.