Three years later, multiple attackers gained access to the server and made their way to other parts of the university's network.
The fine was levied by the ICO under the data protection legislation that was put in place in 1998.
ICO head of enforcement Steve Eckersely said: "Whilst the microsite was developed in one of the University’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution.
“Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine.”
The University said it had beefed up securities in the wake of the fine by
- making major investments in new security architecture, tools and technologies;
- hiring new dedicated internal experts whose sole focus is information security;
- conducting vulnerability testing across the entire organisation every day – the only university, so far as we know, to do so;
- making information security training mandatory for all staff;
- reforming the system of internal IT governance; and
- developing a rapid incident response to tackle threats as they arise and quickly learn lessons from incidents.
If the fine is paid by 15 June, the amount will be reduced by 20%.