UCD set to pay 70k in fines following several personal data breaches of University email accounts

Image Credit: Dominic Daly

University College Dublin has been fined €70,000 following several personal data breaches of University email accounts. The fine came after the Data Protection Commission (DPC) received 7 separate breach notifications by UCD between August 2018 and January 2019.

The seven occurrences involved the unauthorised access by third parties to UCD email accounts. In some cases, these login credentials were posted online, others involved users “furnishing their credentials” from external websites, the DPC has reported. UCD was unable to identify how other accounts had been compromised. These breaches were discovered by UCD when spam was reported to have been sent from University email accounts. The online application ?haveibeenpwned.com? was also used in identifying the source of this unauthorised activity. 

The investigation, some of which took place on-site, officially reprimanded and fined UCD for failure to implement appropriate General Data Protection Regulation (GDPR) measures, for storing data longer than necessary, and finally for failure to appropriately notify the DPC following these occurrences. The further infringement of GDPR occurred when UCD failed to bring one of the cases to the DPC for 13 days after its occurrence, breaching Article 33 of GDPR, which states that the controller must notify the supervisory authority no later than 72 hours after having become aware of the breach. 

The breaches have occurred following the revised General Data Protection Regulations, which came into legislation in May 2018 and are designed to strengthen and unify the protection of personal data across the EU. This is the sixth GDPR fine imposed by the Data Protection Commission (DPC), which is the Irish supervisory authority for GDPR. 

A UCD spokesperson commented that the college “accepts the decision of the Commissioner for Data Protection” and that the university has addressed the decision ordered by the DPC with a “programme of action” following this breach of UCD security systems. 

The occurrence has placed University College Dublin as the first third-level institution to receive a fine from the Data Protection Commission. Separate investigations are underway concerning other third-level institutions, namely the University of Limerick and Maynooth University. 

If students suspect any unusual activity regarding their UCD accounts, there are several resources available to investigate such issues, with contact services listed on the UCD website.