Warwick Uni breach cover-up sparks warning to brands

warwick2Companies are being urged to ensure that data protection officers are given the right support – and adequate training – following a damning report into the practices at Warwick University amid claims that its DPO kept multiple data breaches secret from both students and staff.

The first breach is said to have occurred last year, when a staff member installed remote-viewing software enabling hackers to steal sensitive personal information on students, staff and even volunteers taking part in research studies.

In an internal report – seen by Sky News – the university admitted that cyber security protections were so poor that it was impossible to identify what data had been stolen. Sky News claims “several sources” have insisted this was just one of multiple data breaches which have taken place at Warwick, whose motto is mens agitat molem (mind moves matter).

However, mind certainly did move matter for Warwick’s registrar and executive lead for data protection, Rachel Sandby-Thomas.

It is claimed that not only did she fail to inform any of the individuals or research bodies about these breaches or the risks they were exposed to, she also tried to block a “voluntary” audit by the Information Commissioner’s Office.

However, she was informed that the alternative to a voluntary audit was a “compulsory less friendly one”.

Sky News alleges that during the final meeting with the ICO, the regulator recommended that Sandby-Thomas should be removed as chair of the university’s data protection privacy group, saying it should instead should be chaired by someone with data protection expertise.

The university told Sky News: “The registrar fully agreed with the report’s finding that we should give those areas of responsibility to someone with a specialist skill set and experience.”

Despite not having this “specialist skill set and experience”, Sandby-Thomas had been the executive lead for IT and data protection at the university since 2016; she has now stepped down.

The university confirmed: “As previous structures clearly did not deliver all the change and improvements we had sought in this area, it is no surprise that we also sought to change and improve these structures. We have therefore introduced two new committees to provide enhanced oversight and advice which bring in a wealth of talent including one of Europe’s leading cyber security professors.”

A new chief information and digital officer, who reports directly to the vice chancellor, has also been hired.

The university told Sky News: “We have also unsurprisingly, and for the same reasons, made changes to the operation and focus of the management and administrative team for that area of work, but all of those staff remain employed by the university.”

In 2018, the ICO issued a £385,000 penalty to Uber for “avoidable data security flaws” that had allowed the personal details of UK customers to be accessed; the ruling also blasted the company’s deliberate attempt to cover up the breach. It is not known whether Warwick will now face a fine.

One data protection expert said: “In the run-up to GDPR, suddenly there was a huge rush to appoint data protection officers and this case shows that Warwick – one of the top universities in the country – got it badly wrong. But to blame one individual is harsh, as we simply don’t know how much support or training she had had.  The real lesson from this, is to ensure your organisation does not end up in the same boat.

“Many organisations might think they have GDPR ‘sorted’, but it is not a one-off; it requires regular training. That might be taking a backseat in the current climate but it is still crucial for the future of any business.”

Related stories
Uber fined £900,000 over ‘complete disregard’ for data
Marketers urged to jump into bed with privacy chiefs
GDPR compliance stutters as companies lose interest
Vacancies for data protection officers rocket by 700%
ICO recruitment drive hit by scramble for GDPR experts
GDPR fuels major recruitment drive at UK businesses
Nearly 60% of marketers have had no GDPR training
7,000 data protection officers needed for UK firms

Print Friendly