FOI_24-324 Breaches and compensation paid
Date of response: 11 December 2024
We have now considered your Freedom of Information request 28 November 2024 for the following information:
I am writing to you under the Freedom of Information Act 2000 to request information on data breaches from your university. Please may you provide me with:
Question 1. The number of data breaches reported to your data protection team over the last five years, 2019 – 2024
Our responses:
| 2019 | 2020 | 2021 | 2022 | 2023 | 2024 |
|---|---|---|---|---|---|
| 140 | 130 | 135 | 126 | 156 | 110 |
Question 2. The number of data breaches that your university reported to the Information Commissioner's Office (ICO) over the last five years, 2019 – 2024
Our response:
| 2019 | 2020 | 2021 | 2022 | 2023 | 2024 |
|---|---|---|---|---|---|
| 0 | 2 | 0 | 1 | 0 | 1 |
Question 3. How many people, broken down by staff and students, were affected by a data breach for each year, 2019 – 2024
Our response:
| 2019 | 2020 | 2021 | 2022 | 2023 | 2024 | |
|---|---|---|---|---|---|---|
| Student | 623 | 1,753 | 287 | 34,197 | 302 | 3,298 |
| Staff | 110 | 64 | 8,457 | 73 | 42 | 18 |
| Mixed | 0 | 80,543 | 306 | 670 | 83,083 | 48 |
| Staff and Students | 0 | 64 | 506 | 0 | 0 | 0 |
| Total | 733 | 82,424 | 9,556 | 34,940 | 83,427 | 3,364 |
We would like to add the following context to the data included above: In the data for 2020, 2022 and 2023, the particularly high numbers relate to a single incident in each of the years where a personal data breach was reported that potentially exposed data of a large number of users.
In 2020 an external provider, Blackbaud, was subject to a cyber-attack which led to personal data being breached in a number of national and international organisations, of which UEA was one. We established that where our data was at risk, it involved approximately 80,000 data subjects. All relevant reparatory work was dealt with by Blackbaud on the advice of the FBI.
In 2022 one person internal to UEA was given access to the student timetabling system at a level they were not entitled to, for a limited period.
In 2023 a setting on one of our systems was identified as storing data it did not need to. This data was extensive; however, it was only accessible by 15 system administrators and did not leave the UEA IT estate. We were able to confirm it had not been accessed by anyone, including those with the system administrator permissions.
In relation to the incidents in 2022 and 2023, we know mitigation steps were taken quickly and our own investigations showed that the data was not accessed. However, we acknowledge that despite the risk being mitigated, the data of that number of individuals was at risk for the time prior to mitigation. At the time of each report, we erred on the side of caution in our initial assessment and that is what we have recorded and reported above. For incidents in 2022 and 2023 we do not believe the data of individuals was accessed or placed in the public domain.
Question 4. The total amount of compensation your university paid out over data breach claims for each year, 2019 - 2024
Our response:
| 2019 | 2020 | 2021 | 2022 | 2023 | 2024 |
|---|---|---|---|---|---|
| £0 | £7,133.60 | £0 | £0 | £30,000.00 | £0 |
Please note that the figures provided are the total amount of damages paid directly to the claimant in each year. The total amounts paid do not include the claimant’s legal fees.