University of Warwick kept data breach secret from students and staff

The University of Warwick’s administrative system was hacked last year, in a breach that was kept secret from staff and students.

According to Sky News,  the data security breach occurred when a member of staff installed remote-viewing software, which led to hackers being able to access student and staff data, as well as sensitive data from research studies.

This is one of several data breaches, which have been kept from staff and students. 

Earlier this month, an internal data protection audit report revealed that the University had inadequate data protection to prevent an attack or identify if a data breach had occurred.

A further data protection audit was carried out by the Information Commissioner’s Office (ICO), the data protection watchdog. 

The University’s Registrar and executive lead for data protection since 2016, Rachel Sandby-Thomas, did not inform any of the individuals whose data had been accessed about the breaches. 

Sky News also revealed that Ms Sandby-Thomas considered refusing to allow the ICO to conduct its voluntary audit. The ICO recommended that she should be removed from the University’s data protection privacy group (DPPG), as she did not have data security expertise. 

Following these recommendations the University’s Registrar has since disbanded the DPPG and is currently restructuring its data protection and security plan by introducing two new committees.

A data protection audit report revealed that the University had inadequate data protection to prevent an attack or identify if a data breach had occurred

The University told Sky News: “The registrar fully agreed with the report’s finding that we should give those areas of responsibility to someone with a specialist skill set and experience.

“As previous structures clearly did not deliver all the change and improvements we sought in this area, it is no surprise that we also sought to change and improve these structures.”

The University also introduced a new chief information and digital officer. 

They added: “We have therefore introduced two new committees to provide enhanced oversight and advice which bring in a wealth of talent including one of Europe’s leading cyber security professors.

“We have also unsurprisingly, and for the same reasons, made changes to the operation and focus of the management and administrative team for that area of work, but all of those staff remain employed by the university.” 

The University has been contacted for comment to respond to the withholding of data risks from staff and students.