The Data Protection (Bailiwick of Guernsey) Law, 2017 (“the Law”)
The Data Protection Authority (“The Authority”)
Issued: 12pm 4 December 2025
Controller: The Ladies' College
What happened?
On 24 June 2024, The Ladies’ College discovered that it was unable to access several of its on-premises servers. An investigation undertaken by The Ladies’ College identified that unauthorised access had been made to some of its systems, which had subsequently been encrypted with ransomware. The majority of the information affected by this breach did not relate to individuals, however, some limited examples of personal data were impacted.
The Ladies’ College reported the incident to the Authority as a personal data breach, with an inquiry being initiated to establish whether the Data Protection Law had been breached.
The Authority’s investigation found that while The Ladies’ College had systems in place that detected suspicious authentication activity, it did not implement appropriate processes to be notified of or monitor such detections. The majority of the encrypted information was not personal data, and none related to students.
The Ladies’ College also failed to appropriately secure an administrator account, with the use of a weak password coupled with a failure to activate Multi-Factor Authentication (MFA) resulting in the account being vulnerable to a brute force attack.
Additionally, The Ladies’ College failed to appropriately secure remote access to computers within its network, leaving them directly exposed to be accessed using compromised credentials.
For these reasons, the Authority has found The Ladies’ College in breach of the Data Protection Law.
Why was that a problem?
The failures in The Ladies’ College’s security allowed for unauthorised access to be gained to its systems, and for data to be encrypted by the threat actor using ransomware. While the majority of this did not include personal data, there were some limited examples of personal data being encrypted.
What happened as a result?
Following its finding that The Ladies’ College has breached the Law, the Authority has imposed an order requiring that it undertake specific actions to improve the security of personal data that it processes. Since the imposition of this order, The Ladies’ College has successfully completed all actions required to be undertaken.
To date, there has been no evidence identified of any information being exfiltrated from The Ladies College systems. That said, we encourage all organisations to remain vigilant for potential misuses of data.
“Effective processes to monitor and warn against security breaches are a key element of any security safeguard system, regardless of the sensitivity of the information held”, said Data Protection Commissioner Brent Homan,
“We are pleased that the Ladies College acted swiftly to notify our office of the breach, cooperated with the investigation and implemented remedial measures without delay.”
What can be learned from this?
- Processes must be put in place to ensure that security monitoring software alerts are identified in a timely manner. It is recommended that systems are configured to send e-mail or similar alerts of detections to increase the likelihood that they are seen and actioned.
- Organisations must ensure that appropriate passwords are used to mitigate the risk of unauthorised access to accounts. The National Cyber Security Centre (NCSC) recommends that organisations follow the ‘three random words’ approach to passwords.
- It is recommended that MFA be implemented by organisations across all accounts to the extent possible. Further guidance around implementing MFA can be found on the following link to the NCSC website Multi-factor authentication for your corporate online... - NCSC.GOV.UK.
- Organisations must ensure that Remote Desktop Protocol access to devices is disabled if not required, or alternatively if access is required it should be strictly controlled using appropriate firewall rules, strong passwords and MFA.