Likelihood: HIGH
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Exfiltration is confirmed — this is a COMPROMISED event, not merely an exposure — affecting both student and staff PII at a major UK research university, triggering near-certain UK GDPR regulatory scrutiny and reputational consequence with prospective students and research funders; impact is high because the affected population spans multiple sensitive data categories (academic records, employment data) and the institution operates under ICO enforcement jurisdiction with fines scaled to annual turnover.
Treatment rationale: Active regulatory exposure and ongoing reputational harm require immediate containment, breach-notification compliance, and control remediation — avoidance and acceptance are not viable post-exfiltration, and transfer (insurance) is supplementary, not primary.
Third-Party / Supply-Chain Risk
Attack vector and responsible actor remain undisclosed; if student information systems, HR platforms, or research data repositories involve third-party SaaS or managed-service providers, those vendors represent unassessed exposure under NIST SP 800-161 — the university's supply chain risk posture for data processors handling UK GDPR-regulated personal data should be reviewed as part of incident scope determination.
Loss Exposure (illustrative)
Magnitude: high — illustrative £500K–£5M+
Frequency: Single confirmed event; recurrence frequency not estimable from available information
Annualized: Insufficient basis for ALE framing — single confirmed event with undisclosed scope; annualization would not be defensible
Basis: Illustrative range anchored to: (1) UK GDPR maximum administrative fines scaled to higher education sector annual turnover (up to 4% global annual turnover or £17.5M, whichever is higher, per UK GDPR — actual ICO enforcement for universities has historically been lower but non-trivial); (2) incident response, forensic investigation, and legal costs typical for a breach of undisclosed but described scope; (3) reputational impact on student recruitment and research funding modeled as a moderate multi-year revenue drag. No third-party actuarial or industry benchmark data cited.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Confirmed PII exfiltration from a UK-based institution may invoke cyber-insurance incident-notification obligations — verify with broker.
• UK GDPR Article 33 imposes a 72-hour supervisory authority (ICO) notification window from awareness of a personal data breach — verify with counsel whether that threshold is met and the clock is running.
• Research grant agreements and commercial partner contracts may contain data-security representations and breach-disclosure clauses that are now potentially triggered — verify with counsel.
• Staff data systems involvement may engage employment law obligations regarding notification to affected individuals — verify with counsel.
