Data breach at the University of Warsaw
The Personal Data Protection Office received a data breach notification at the University of Warsaw, which is currently being analyzed.
The data breach at the University consisted in the unintentional publication of a repository with data on students, doctoral students and employees of several University’s faculties, as a result of which the database was downloaded by an unauthorized person. Due to the high risk to the rights and freedoms of natural persons (e.g. the risk of the so-called identity theft), the controller communicated the data breach also to the data subjects.
The information about the system's vulnerability to data leakage was reported to the controller by CERT Polska. Having obtained such information, the University made it impossible to continue the breach and proceeded to analyze the threats.
UODO analyzes the situation related to the notified breach.
Controllers, in the event of a data breach, which may cause a likelihood (higher than low) of a harmful (adverse) impact on the data subjects, have 72 hours to notify such an incident to the President of the Personal Data Protection Office. It concerns such situations that may lead to identity theft, financial loss, or the breach of legally protected secrecy.
When analyzing the notification, UODO may assess whether, for example, the controller has taken appropriate steps to limit the further duration of the breach and actions to prevent such events in the future. If the controller has failed to notify the persons concerned about a given breach and, in the opinion of the supervisory authority, it should do so, the supervisory authority may order to take such action. The purpose of notifying data breaches within 72 hours is to take as soon as possible measures to mitigate the risk of negative consequences for the persons affected by a given incident.
More UODO guidelines on mitigating the risk of identity theft are available in the materials: