top of page
Search

Story: “What happened at Stella Università”

(“Stella Università” is a fictional Italian university, but the story is grounded on real-events in Italy.)



Background


Stella Università is a mid-sized public university in Italy, with ~20,000 students, dozens of departments, and a growing set of online services (student portals, research data, administrative files). Professors routinely share lecture materials, student records, research drafts, and collaboration documents among staff, students and external partners.


The incident


One day, the IT office detected irregular activity: a staff shared a sensitive research dataset and student personal-data spreadsheets through a collaboration chat. That file was forwarded externally to a partner institution, and later appeared on an unauthorized forum.Simultaneously, a ransomware group claimed a cyber-attack and exfiltrated ~500 GB of files from the university’s shared storage system. A public notice explained that personal contact info, administrative and contract data were affected. unisi.it+1


At the same time, the university was using a proctoring system for online exams which processed students’ biometric data without proper legal basis. The Italian Data Protection Authority (“Garante”) fined another university €200,000 for this exact issue. edpb.europa.eu+1


Consequences


  • The university had to notify thousands of students, faculty and staff about the breach.

  • It faced reputational damage: prospective students raised doubts; collaborators paused research work.

  • It incurred legal and regulatory pressure under GDPR and Italian privacy law: lack of proper controls meant huge risk of further fines.

  • The forwarded file (student records + research data) could no longer be “taken back”, even though access should have been limited.


What the professors & departments felt


  • A professor who shared the dataset felt guilt: “I thought sharing with our partner was fine, but I lost control once it left our system.”

  • The research office realised that just encrypting the files wasn’t enough; they needed dynamic control over who could view, forward or save them, and ability to revoke access later.

  • The university’s privacy officer admitted: “We had no way to ensure that after one of our staff forwarded the file, the recipient couldn’t further share it.”



How Privitty steps in & what it solves


Here’s how Privitty could have changed the story at Stella Università:

  • When the professor uploads the dataset or student-records, the file is shared via the collaboration tool with Privitty controls.

  • The professor sets rules: “Only this partner department can view; they cannot forward; they cannot save a local copy; and access must expire after 90 days.”

  • Even if the partner tries to forward the file, an unauthorised user sees only encrypted gibberish.

  • If a staff member leaves or a project ends, the university admin revokes access in one click — the file instantly becomes unreadable for that party.

  • Auditing: The university can see who accessed the file, when, and what actions they took. That means strong compliance with GDPR / Italian rules about data access and processing.

  • For the online exam scenario: any exam recordings or biometric files are encrypted and access-governed — even if the proctoring tool exports a result, access is tightly controlled, minimizing risk of illegal biometric profiling.



The key take-aways for colleges/universities & professors


  • Data sharing is essential in academia (lectures, research, collaboration), but once you share, the risk grows unless you control what happens afterwards.

  • Italian cases show that even universities are vulnerable — major breaches, fines, uncontrolled biometric processing. unisi.it+1

  • Encryption alone isn't sufficient; what matters is who can use the file, how they can use it, and the ability to revoke access later.

  • With Privitty, the university regains dynamic governance over academic-data, student-data and research-data — not just safe storage, but safe sharing.

  • That supports compliance with GDPR / Italian privacy laws, protects institutional reputation, and builds trust with students and staff.



Source / References:

  • Italian SA finds monitoring system for online university exams is a breach — Garante per la protezione dei dati personali found that a university processed biometric data without a lawful basis in Italy. edpb.europa.eu+1

  • The Italian Data Protection Authority fines Luigi Bocconi University €200,000 for unlawful processing of students’ personal data through proctoring software during exams. DataGuidance+1

  • Italy’s facial recognition ban (except law enforcement) — Italy has banned use of facial recognition systems in municipalities pending legal basis. AI News

  • The Garante (Italian privacy watchdog) conducts investigations, audits, imposes sanctions and is increasingly active in enforcing data protection in Italy. Reuters

  • Personal data anonymization and risk of DPO in Italy — shows fines and sanctions by the Garante in Italian context around data-protection breaches. privacymatters.dlapiper.com

  • Biometrics for attendance recording: Italian SA fines high-school for biometric data processing without basis. edpb.europa.eu



 
 
 

Comments

Discover clics solution for the efficient marketer

More clics

Never miss an update

Privitty is a secure, decentralized messaging app with advanced privacy features like message revocation and time-limited access.

logo_mark_purple.png
Privitty Typemark purple.png

Sobha Silicon Oasis, Electronics City, Bangalore.
info@privittytech.com

We're looking for talented, passionate folks to join our team.

© 2025 by Alanring Technology Ptv. Ltd.

  • GitHub
  • LinkedIn
  • Twitter
bottom of page