The University of Greenwich has been handed a £120,000 fine by the ICO for a data breach involving nearly 20,000 people, which included medical information.

Contact details, including names addresses and phone numbers, of 19,500 students, staff and alumni were leaked. As well as contact details, information about learning difficulties and staff sickness records were accessed and posted online.

The leak was a result of the setting up of a microsite for a training conference in 2004 by an academic and a student in the university’s Computing and Mathematics School, which at the time was devolved from the main university.

Following the conference, the site was not properly closed down or secured. This was compromised in 2013 and in 2016 attackers exploited the site’s vulnerability to access other parts of the web server.

This case is the first time a university has been fined by the ICO under the Data Protection Act 1998. Steve Eckersley, head of enforcement at the ICO, commented: “Whilst the microsite was developed in one of the University’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution.

“Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine.”

The university has accepted its fine and offered an apology. In a statement, it wrote: ‘The Information Commissioner’s Office has imposed a penalty on the University of Greenwich and has issued its findings on a breach of personal data which was discovered in 2016 and involved unauthorised access to some data on the university’s systems at the time.

‘The university does not intend to appeal the penalty. After the ICO’s prompt payment discount the cost to the university will be £96k. We take this extremely seriously, and would like to apologise again to those who may have been affected.’

According to the statement, it has invested in security architecture and technologies since 2016, as well as hiring new InfoSec staff. As it has opted to pay the fine quickly, the amount will be reduced to £96,000.