University of South Wales recently announced that it suffered a "limited data breach" after one of its systems was infiltrated by a hacker who may have stolen personal information of university staff as well. A 26-year-old man from Pontypridd was arrested in connection with the breach last week.
Even though the university has provided very little information about the breach, saying no more than that the breach was a "limited" one, a university staff told Wales Online that the hacker behind the breach may have accessed the university's student record system and stole personal information of staffers.
"The University of South Wales has referred a limited data breach to South Wales Police. We have taken immediate action to secure the university's systems to ensure that there are no further breaches," the university said in a statement. The Information Commissioner's Office is yet to be informed about the breach by the university.
26-year-old Pontypridd hacker targeted University of South Wales
South Wales Police has confirmed that it arrested a 26-year-old man from Pontypridd in connection with the incident on 30 May and that the individual is currently out on bail.
"South Wales Police can confirm that a 26 year-old man from Pontypridd was arrested in connection with a ‘data breach’ referred to South Wales Police by the University of South Wales, on May 30. He has since been released on bail. The investigation is ongoing," it said.
A number of universities across the UK have been investigated by the ICO in the recent past either for leaking personal data of students and staff or for failing to prevent malicious actors from gaining access to systems and databases containing sensitive information.
In May last year, the ICO fined the University of Greenwich £120,000 for failing to prevent the breach of personal data of nearly 20,000 students, staff and alumni. The breach occurred when hackers gained access to an old and unprotected microsite that contained personal details of 19,500 students, staff, and alumni such as "information on extenuating circumstances, details of learning difficulties and staff sickness records".
According to the Information Commissioner's Office, the University of Greenwich failed to secure either the microsite or its web servers from being accessed by unauthorised or malicious actors and was therefore liable to face monetary fines.
A month earlier, personal and financial information of over 90,000 staff and students at the University of Surrey and Surrey Sports Park were potentially compromised after an employee at one of their suppliers published a password that allowed access to such data.
Data exposed by the incident included names, contact details, and dates of birth of staff and students as well as bank account and sort code details of members of Surrey Sports Park who make payments via direct debit. The data security incident also compromised health information of members of Surrey Sports Park that were disclosed by them at the time of registration.