-
.
- Ελληνικά
In relation to the cyber attack on the Open University, on 22/11/2023 I issued a Final Decision imposing an Administrative Fine of €45,000 on the Open University.
With regard to the cyber-attack on the Land Registry, I have received the final positions of the Land Registry on the prima facie Decision, while the incident at the University of Cyprus is still under investigation in cooperation with other Authorities/Services.
Decision. A group of "hackers" (hereinafter "attacker") stated via the social media platform Twitter that they were responsible for the attack and the University was given a timeframe to pay a ransom to return/not disclose the leaked files from the attack. When the timeframe for paying the ransom had expired, the stolen data was published by the attacker and made available on the dark web.
After a full investigation into the incident, it was found that the leaked data pertained to students, alumni and other subjects (University contractors) which were cached on an affected server and used for processing tasks by employees.
For the incident, 11 complaints have been submitted to my Office by data subjects complaining that their personal data has been leaked due to the incident under review, which were taken into account during the review of the incident.
The University also sent me a list of actions it will take to enhance the security of its systems. These actions will be implemented in stages based on a schedule that has been developed, starting now, with a completion date of 2026, depending on the criticality, cost and prerequisites for their implementation.
Following a legal and technical review of all of the above, a breach of the General Data Protection Regulation (EU) 2016/679 was found by the failure to implement appropriate security measures and a breach of the principle of "accountability".
After taking into account all the facts of the case, the technical and organisational measures taken by the University prior to the attack and the mitigating factors reported by the University, as well as the fact that the University is part of the wider public sector, an Administrative Fine of €45 was imposed on the University.000.
The University was also instructed that within six months:
a) appoint a systems security officer, albeit temporary/deputy, to oversee the implementation of the measures that the University intends to take,
b) inform me of the progress of the implementation of the measures that the University has informed me that it intends to take.
(PS/EP)
Contents of this article including associated images are owned by PIO
Views & opinions expressed are those of the author and/or PIO
Source
