University of Greenwich exposes students' personal details in data privacy breach

University secretary is "sorry" while ICO opens investigation

Hundreds of names, addresses, signatures, dates of birth and mobile phone numbers have been uploaded to the University of Greenwich's public website in a breach of the Data Protection Act.

The posting of the details, all belonging to research students, was reported to the BBC earlier today by one of the affected students, who found that the information could be easily viewed by a simple Google search.

The university insists the details have since been removed, and has released a statement explaining how "sorry" the institution's secretary, Louise Nadal, is about the incident.

"I am very sorry that personal information about a number of postgraduate research students has been accessible on the university website," said Nadal.

"This was a serious, unprecedented error, in breach of our own policies and procedures. The material has now been removed."

Nadal said the university is now "acting urgently to identify those affected" and that each person will be contacted individually "to apologise and to offer the support of the university".

"At the same time, I am also conducting an investigation into what went wrong. This will form part of a robust review, to make sure that this cannot happen again. The findings and recommendations of the review will be published," continued Nadal, before adding that the university is "committed to protecting confidential data".

The statement also says that Greenwich University is "co-operating fully" with the ICO, who offered the following statement to Computing this morning, via a spokesperson:

"We are aware of an incident at Greenwich University and are making enquiries."

Michael Hack, senior VP of EMEA operations at file transfer firm Ipswitch, said that institutions like the University of Greenwich must increasingly watch their backs as new EU regulations (namely GDPR) seek to clamp down on lax data protection conduct.

"This type of breach will be penalised by even more severe financial penalties than are currently in place," said Hack.

"It is clear that, in this case, there has been a breakdown in either policy or procedure - quite likely both.

"Names, addresses, dates of birth, phone numbers and signatures were all uploaded to the university's website in a clear breach of data protection regulation. It would have been like a Lottery win for anyone involved in identity fraud," concluded Hack.