€45,000 Fine for Open University of Cyprus Over Data Protection Violation

€45,000 Fine for Open University of Cyprus Over Data Protection Violation

Following a Ransomware Attack

An administrative fine of €45,000 has been imposed on the Open University of Cyprus for violating personal data protection. This fine, levied by Data Protection Commissioner Irenie Loizidou Nicolaidou, is in response to the institution's failure to implement adequate measures during a cyberattack.

In her recent announcement, Commissioner Nicolaidou outlined the personal data breach at the Open University of Cyprus's network in March 2023. Specifically, a hacker group claimed responsibility for the attack on Twitter and set a deadline for the university to pay a ransom to prevent the publication of stolen files. Once this deadline passed, the stolen data were published by the attackers and made available on the dark web.

Following a thorough investigation, it was discovered that the leaked data involved students, alumni, and other associated individuals temporarily stored on an affected server and used by the university's staff.

Regarding the incident, the Commissioner's Office received 11 complaints from individuals whose personal data was compromised. These complaints were considered during the investigation of the incident.

The University has also submitted a list of actions it plans to take to enhance its system security. These measures will be implemented gradually, with completion targeted for 2026, depending on their criticality, cost, and prerequisites.

After a legal and technical review, it was concluded that the University had violated the General Data Protection Regulation (EU) 2016/679 by failing to implement proper security measures and violating the principle of "accountability."

Considering all aspects of the case, Commissioner Nicolaidou noted the technical and organizational measures the University had in place before the attack and the mitigating factors mentioned by the University. Consequently, the University was fined €45,000.

Furthermore, the University has been instructed to appoint a temporary or deputy system security officer within six months to oversee the implementation of its planned measures. The University is also required to update the Commissioner on the progress of these measures.

Loader