Cybersecurity, Universities and Personal Data

Universities are frequently targeted due to the amount of personal, confidential data being held. This is accumulated as part of the application process, along with on-going course attendance. One recent target has been the University of Warwick. The university is located in Coventry in the UK and is part of the Russell Group. While the details of the successful attack have not been published, this attack may have been invited in by one of the users. The issue may have all started with a user installing remote viewing software in 2019. At this point, the attackers were able to gain a foothold into the system and pivot into other areas, providing the data and information they sought.

Data

As to be expected, the attack had a focus. In this case, it was the usual data and information. The breach allowed the attackers access to student information. The attackers had also access to the staff and volunteer private information. This would provide the attackers the data needed for various unlawful acts, including taking over someone’s identity, getting credit in the other person’s name, and other fraudulent acts.

Multiple Breaches

In general, one breach is a bad operational defect. This can be devastating to the university, staff, and students in the short- and long-term. This can reach into the full network, or sections, based on the attack and target. If the attacker simply wants to exfiltrate data quickly that is marketable, they may breach the accounting or Human Resource networks. If they want to own the system and possibly extort funds, this is yet another avenue that may be best attacked with ransomware or other malware. In this case, the University was breached several times.

Problematic Factors

Simply stated, the university was breached. Granted, this is a rather unpleasant set of circumstances with potential legal consequences. There appears to be a systemic operational issue though with the breaches. First, there were multiple breaches within the university’s system in 2019. One is bad enough, with the damage that may be done. When you have multiple, the attackers know they are able to get in, get what they want, and exit with ease. If there were to have been an apprehension or concern on the part of the attackers, perhaps they would not have returned so brazenly. For them to return and enter unfettered is indicative of a larger issue.

With these multiple breaches, there is data, intellectual property, and other items possibly removed. There is also the opportunity for them to leave something behind, be it other back doors or malware, to make their life even easier if they would want to enter later. This has a clear impact on the staff and students. From the point in time for the breach, until the notification, the affected persons are blind to the attacker’s using their personal data and information, any researcher’s work product being in unauthorized hands, and generally being open to issues themselves. In this case, the university withheld this information.

One rationale for this was the university did not have the budget and resources to work on this. This, on its own, is an issue. Too many staff do not appreciate the cybersecurity role, and what this actually brings to the organization. Without a robust cybersecurity program in place, there will be issues and many unauthorized persons will have access to your private information. In other words, a reasonably prudent organization would have this in place to protect the data and information which has been given to it to manage and steward.

On another point, prior to the breach, the university was audited by the Information Commissioner’s Office, whose focus is data protection. The report, published in March, noted the chairperson of the university’s data protection privacy group (DPPG) should be replaced with an alternative with more experience. Upon receipt and review, the registrar completely agreed with their findings. Curiously, the registrar and Data Protection Officer are the same people. While the report is after the fact, the indicators had been present for some time and should have been acted on long ago. This report based on the audit was how the staff and students learned of the breaches and that their data had been compromised. Without this report, who knows when the university would have let anyone know of the circumstances. For some reason unbeknownst to many, the registrar joked about the audit, stating it was “tomato colored” and acting dismissive as to the possibility the data was at risk.

In certain circles, not accomplishing this may be considered negligence.

Apparently, the lack of oversight and resources was to the extent the university may have known they were breached, however, they had no idea of what data or systems had been impacted by the attack.

Mitigations

To overcome these problems, the university has created two additional committees to assist with the governance in this area and to provide advice. The university also put a new Chief Information and Digital Officer in place to better the cybersecurity stance.

Lessons

To fully fund the cybersecurity teams and the working group is still vital to operations, and any entity. If you are apathetic as to the network, operations, and any repercussions from a breach and being totally pwned by an unauthorized third party, there is an issue. In these times of budgetary constraints, allocating the resources can be a difficult task. The alternative though tends to be much more expensive financially in the short- and long-term and provides the opportunity for the organization to be in the news, for all the wrong reasons. There needs to be some form of a balance with the operations. Without this in place, the organization is simply a target waiting to be breached and having to send out the breach notification letters.

There also needs to be the appropriate staff doing the appropriate tasks. There is room for staff with their specific expertise in any organization. When you someone in a role they do not have the experience for, you will have issues. At a senior management level in cybersecurity, there is not the time or the availability of resources to attempt to learn on the job. There will be areas that will be missed in tasks and functions as the person moves through the learning curve. This is not the first time someone has been placed in a management position in cybersecurity without the requisite experience, exemplary of the Peter Principle.

When you have a report publishing of record there are data breaches, as a member of management, you should not act apathetic and as if you are above the findings. The staff in charge of the cybersecurity for a university should take care of the data they are stewarding. They should care enough to ensure their staff and student’s information is not at risk. When an independent third party has to inform you of breaches, something should be done to protect the university, students, and staff other than commenting, as the registrar did, “If I tell you what, I ‘I must kill you.’”

This is a rather serious issue as the breach included personal data and access to the network, unfettered. There is in place during the breach of the GDPR. As time passes, it will be interesting to note if the government actually applies the GDPR or any of the like laws or statutes to the university for the significant error and indifference to the staff and students. The registrar’s response is one of the reasons why there are still numerous breaches.

Anyone affected by this should be wondering why the responsible staff are still present and working at the university, especially the registrar.

Resources

Jay, J. (2020, April 28). Warwick university suffered multiple breaches due to poor security protocols. Retrieved from https://www.teiss.co.uk/warwick-university-data-breaches/

Karageorgi, N., & Toms, O. (2020, April 27). University of warwick kept data breach secret from students and staff. Retrieved from https://theboar.org/2020/04/university-of-warwick-kept-data-breach-secret-from-students-and-staff-last-year/

Martin, A. (2020, April 27). The university of warwick was hacked and kept secret the breaches of students and staff. Retrieved from https://oltnews.com/the-university-of-warwick-was-hacked-and-kept-secret-the-breaches-of-students-and-staff

Martin, A. (2020, April 27). Warwick university was hacked and kept breach secret from students and staff. Retrieved from https://news.sky.com/story/warwick-university-was-hacked-and-kept-breach-secret-from-students-and-staff-11978792

Millman, R. (2020, April). GDPR ignored by warwick university? Retrieved from https://www.scmagazineuk.com/gdpr-ignored-warwick-university-failure-alert-staff-students-data-breach/article/1681689

Rodger, J. (2020, April 27). Warwick university kept data hack secret from students and staff. Retrieved from https://www.birminghammail.co.uk/news/midlands-news/warwick-university-kept-data-hack-18156758

Sandford, E. (2020, April 27). Hackers targeted university of warwick. Retrieved from https://www.coventrytelegraph.net/news/coventry-news/hackers-targeted-university-of-warwick-18157358

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.