Open University fined for negligent cyber security after being hacked

The Data Protection Commissioner said on Monday she has slapped a €45,000 fine on the Open University of Cyprus for negligent cyber security in relation to the hacking of its servers in March of this year.

In a statement, commissioner Irini Loizidou-Nicolaidou said that having investigated all aspects of the incident her office found that the university violated EU Regulation 2016/679 due to “non-implementation of the appropriate security measures” and had also violated the principle of accountability.

Regulation 2016/679 is the General Data Protection Regulation (Gdpr). The principle of accountability is a cornerstone of the regulation. Under it, the controller of the data – in this case the Open University of Cyprus – is responsible for, among other things, processing data lawfully as well as processing data “in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss.”

Nicolaidou’s statement read: “Taking into account the facts of the case, the technical and organisational measures being taken by the university prior to the [cyber] attack, and the mitigating factors cited by the university, as well as the fact that the university is part of the broader public sector, an administrative fine of €45,000 was imposed on the university.”

The commissioner has further instructed the university to appoint a security systems officer to supervise the measures which the university has promised to take going forward, and to keep the commissioner’s office informed on the progress of implementation of these measures.

According to the statement, the data leaked concerned students, alumni and “other data subjects” (university contractors).

In relation to the incident, the commissioner’s office received 11 complaints from 11 such data subjects.

In April hackers made good on their threat to release a trove of personal data grabbed from the Open University of Cyprus, after a deadline for payment of ransom elapsed.

The group of hackers, calling themselves ‘Medusa’, had demanded €100,000 – to be paid in cryptocurrency – from the university in return for not releasing the data.

The university had announced the hack in late March.

The hackers had set a deadline of April 20 for the university to comply, otherwise they’d dump the data on the ‘dark web’.

They had published a page on the ‘dark web’ featuring a countdown timer and the ransom amount.

Earlier in March, the website of the Department of Lands and Surveys went offline after it was hacked.

Regarding this hack, Loizidou-Nicolaidou said she has received the department’s final remarks on her initial ruling. The commissioner’s final determination is pending.

On the cyber attack against the University of Cyprus, occurring in the same timeframe, the commissioner stated her office’s investigation is ongoing.

Meantime a recent report released by Atlas VPN, a VPN service provider, said that a day without internet in the world would cost $43 billion (€39 billion).

In calculating the impact on GDP, Atlas VPN used the NetBlocks Cost of Shutdown Tool (https://netblocks.org/cost/).

Using the tool, the cost to Cyprus of a single day’s internet shutdown or outage would come to €10.4 million.