Likelihood: HIGH
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is high because unauthorized access is already confirmed — this is not a prospective risk but a realized breach of the student record system, and scope of compromise remains unquantified. Impact is high because the University of Nottingham holds PII and national identifiers for a large current and alumni population, triggering mandatory ICO notification under UK GDPR, material reputational harm to student recruitment, and direct harm risk to individuals through identity fraud and social engineering.
Treatment rationale: Active compromise of a live regulated system with mandatory notification timelines requires immediate containment, scope determination, and regulatory response — avoidance and acceptance are not viable post-breach, and transfer alone does not address the operational and regulatory obligations already in motion.
Third-Party / Supply-Chain Risk
Insufficient public basis to confirm third-party system involvement; however, university student record environments commonly integrate identity providers, SIS vendors (e.g., Ellucian, Unit4), and cloud hosting partners — if the breach originated in or traversed any such integration, NIST SP 800-161 third-party risk obligations apply, including supplier notification and contract clause review. Verify with IT and procurement.
Loss Exposure (illustrative)
Magnitude: High — illustrative £500K–£5M range encompassing regulatory fines (UK GDPR fines up to 4% of annual turnover or £17.5M, whichever higher), incident response and forensics costs, notification and credit-monitoring costs for affected individuals, and reputational impact on enrollment revenue
Frequency: Single confirmed event; residual elevated frequency if root cause unresolved — illustrative 1-in-3-year recurrence for institutions with unpatched systemic access control weaknesses
Annualized: Illustrative ALE: if single-event loss center £2M and residual annual frequency 0.33, illustrative ALE ~£660K — this is a post-breach cost framing, not a forward-looking risk reduction figure
Basis: Loss magnitude driven by UK GDPR maximum fine tier for higher-education institutions, estimated forensics and notification costs for a breach affecting thousands of student and alumni records, and enrollment reputational impact on a research university dependent on application volumes. Frequency reflects that this is a confirmed event, not a prospective one; recurrence estimate is illustrative and based on typical remediation timelines for systemic access control failures in higher education. No external report figures cited.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Confirmed PII breach of student records may invoke cyber insurance notice obligations — verify with broker immediately, as late notification can void coverage.
• Breach of current students' and alumni data may trigger contractual data-processor notification obligations if any third-party system operators processed this data on behalf of the University — verify with counsel.
• UK GDPR Article 33 mandates ICO notification within 72 hours of awareness of a personal data breach — verify current awareness timestamp and notification status with Data Protection Officer and legal counsel.
• Affected individuals may have rights to compensation under UK GDPR Article 82 for material or non-material damage — verify litigation exposure with counsel.
