Data breaches at universities: compensation claims advice

As some of the largest institutions in our society, universities hold huge amounts of personal data, belonging to both their large student populations and their sizeable workforces. As such, it is unsurprising that data breaches at universities have become more common in recent years.

Such breaches can arise from cyberattacks, but they can also result from failures of the universities themselves. As universities grow in size, the challenges of data handling increase, and many universities appear to be falling short of their data protection duties.

Cases of data breaches at universities

One of the most notable recent data breaches at universities came in July of 2020, with the Blackbaud hack. Blackbaud, one of the largest providers of education administration and financial systems, fell victim to an attack which affected several British, American and Canadian universities, including the University of York and the University of Leeds. The personal data belonged to current students and alumni, and included phone numbers, information about donations made by alumni, and information about events attended.

Many universities outsource their data handling to companies like Blackbaud, so if a popular external provider is attacked, the breaches can be large-scale. This partially accounts for hackers’ decisions to target such providers, as it means that they can attempt to mine huge amounts of data from multiple institutions as part of one attack.

Other data breaches at universities can be described as ‘human error’ data breaches, which can arise from the mistakes or negligence of staff members. A good example of this was the University of Greenwich data breach which emerged in 2016, leading to an investigation by the Information Commissioner. An inquiry found that the exposed data had been posted to a microsite for a conference in 2004, which was not shut down following the event. As a result, the University of Greenwich was fined £120,000, becoming the first university to be subjected to Data Protection Act fine.

Failing their duty to protect information

The consequences of data breaches at universities can be severe, particularly in cases where the breaches expose highly personal information.

When enrolling at a university, many students disclose details of physical and mental illnesses or conditions to their universities to facilitate their learning. This information can help educators and accommodation providers at the university to cater to their specific needs. The exposure of such information can lead to immense distress for the victims, as it did in the University of Greenwich data breach that we represented victims for.

In some cases, universities have failed to recognise the severity of the psychological impact. In 2019, the University of Warwick reportedly chose to hide multiple data breaches from staff and students, apparently ignorant of the increased stress and anxiety this would cause when the truth was finally revealed.

Claiming compensation for university data breaches

Today, as universities grow and develop into larger organsations, their responsibility to their students only increases. Adequate data protection should be included in the service they provide, not an added extra.

If you are a student, staff member, or alumnus of a university which you believe has failed to protect your personal data, you could be entitled to claim compensation with The Data Breach Lawyers. As specialists in data protection law with years of claiming experience, you can trust us to fight for the compensation that you deserve.