Women's College takes immediate action following IT security breach

The Ladies' College in Guernsey acted quickly after being instructed to strengthen its cybersecurity measures following a breach last year. The Office of the Data Protection Authority reported that on 24 June 2024, the college was unable to access several on-site servers, and an investigation revealed unauthorized access to some systems.

The authority's review found that although the college had tools that detected unusual login activity, it lacked proper procedures to be alerted to or monitor these warnings.

Most of the encrypted data involved was not personal, and none of it pertained to students. The investigation also highlighted that an administrator account had weak password protection and no Multi-Factor Authentication, making it vulnerable to brute force attacks. Furthermore, remote access to the network was not adequately secured, leaving it exposed to potential unauthorized logins.

As a result, the college was found in violation of Data Protection Law, and an order was issued requiring it to take specific steps to enhance the security of personal information and improve its monitoring processes.

Data Protection Commissioner Brent Homan praised the college for its prompt notification of the breach, full cooperation during the investigation, and rapid implementation of corrective actions. He emphasized that robust monitoring and alert systems are essential for effective cybersecurity, regardless of the type of data held.

So far, there is no evidence that any information was extracted from the college's systems. Nonetheless, the authority advised that all organizations remain alert to possible misuse of data.

Author: Chloe Ramirez