UCD has been fined €70,000 by the Data Protection Commission (DPC) following a major data breach. The breach involved email account log-in details being posted online which were then found to have been sending spam.
The DPC has ordered UCD to bring their processes up to the standards of General Data Protection Regulation (GDPR). The DPC identified seven separate personal data breaches by the university between August 2018 and January 2019 after an investigation which began in July 2019.
Since this data breach, UCD has suffered a number of further data breaches most notably when 2,000 students had their ‘ucdconnect’ email account passwords reset after suspicious login attempts were made in September.
The university further disobeyed the GDPR by only notifying the Commission of the data breach 13 days after becoming aware of it.
The DPC said breaches concerned “instances where unauthorised third parties accessed UCD email accounts, or where the log-in credentials for UCD email accounts were posted online.” The university further disobeyed the GDPR by only notifying the Commission of the data breach 13 days after becoming aware of it.
After being asked by the Commission to bring its systems in line with GDPR standards, UCD have said, “… the university has addressed the decision ordered by the DPC with a programme of action … some elements of which are completed and others are in process.” The university further added that they fully accept the Commission’s decision and subsequent fine.
The DPC noted that UCD was unprepared for such a breach: “ … the college was unable to identify how its systems had been compromised.” The Commission added that UCD had infringed GDPR by failing to “process personal data on its email server in a manner that ensured appropriate security of the personal data using appropriate technical and organisational measures.”
Account details that had been breached were able to be identified on the website haveibeenpwned.com, a site which allows people to see if accounts such as Myfitnesspal or Playstation Live, have been compromised by searching across known data breaches.
UCD further breached GDPR by “storing certain personal data in an email account in a form which permitted the identification of data subjects for longer than necessary for the purpose for which the data were processed.”
The ruling is the first of its kind against an Irish third-level institution, however, separate investigations remain active concerning the University of Limerick and Maynooth University. Despite several evident flaws in UCD’s data protection system that led to this breach, the university has taken the stance that they have learned from this and are fully prepared for future data breaching threats.
Adam O’Sullivan – Reporter