A UNIVERSITY in Ireland has been fined for a data breach which led to a member of staff falling victim to fraud.
The breach at the University of Maynooth, which occurred in November 2018, saw hackers gain control of the email addresses of six employees.
One of the staff members involved eventually fell victim to fraud as a result.
The institution raised the incident with the Data Protection Commission (DPC) which launched and investigation in July 2019.
“The DPC commenced this inquiry on an own-volition basis in July 2019,” the organisation confirmed.
“The inquiry related a personal data breach notified by Maynooth University in November 2018,” they added.
“The breach affected the email accounts of university employees, and allowed unauthorised persons to gain control of up to six accounts,” the DPC explained.
“The unauthorised persons used control of one account to assist in the commission of a fraud, leading to a financial loss by one of the persons affected.
“The DPC assessed Maynooth University’s technical and organisational measures for ensuring the security of personal data that it processed, and also examined compliance with the controller’s obligation to notify breaches promptly.”
Their inquiry has now finished, with the DPC finding that the university infringed three articles within GDPR guidelines, by “failing to ensure appropriate security personal data that it processed, and to implement appropriate technical and organisational measures to ensure such security”, and “failing to notify the DPC of the data breach within 72 hours”.
As a result, the DPC has imposed “administrative fines” totalling €40k on Maynooth University and ordered the institution to “bring its processing into compliance with the security requirements of the GDPR”.
“It is vitally important that organisations ensure that personal data is processed in a manner that ensures appropriate security, through the implementation of the necessary technical and organisational measures required under the GDPR,” a DPC spokesperson said this week.
“Data Controllers must also ensure that they comply with their statutory obligation to notify the Data Protection Commission without undue delay once they become aware that a personal data breach has occurred.”
The DPC will publish the full decision on their Maynooth University inquiry and further related information at a later date.