Warwick University Hides Hack From Students And Staff – Experts Comments

It has been reported that Warwick University was hacked and kept breach secret from students and staff. The security incident occurred when a staff member installed remote-viewing software enabling hackers to steal sensitive personal information on students, staff and even volunteers taking part in research studies. The university’s security system was reportedly so poor, it was impossible for Warwick to detect what data had been stolen and who was impacted.

Experts Comments

April 28, 2020
Javvad Malik
Security Awareness Advocate
KnowBe4
Suffering breaches are part and parcel for most organisations these days and a cost of doing business with any digital resources. However, transparency is a key part of incident response and it's imperative that impacted parties are notified as soon as feasible. This isn't just pragmatic from an operational perspective, but also required from GDPR. Individuals could be put at more risk by not disclosing the breach to them. Depending on the individuals information stole, criminals could use it .....Read More
Suffering breaches are part and parcel for most organisations these days and a cost of doing business with any digital resources. However, transparency is a key part of incident response and it's imperative that impacted parties are notified as soon as feasible. This isn't just pragmatic from an operational perspective, but also required from GDPR. Individuals could be put at more risk by not disclosing the breach to them. Depending on the individuals information stole, criminals could use it to steal identities, take out loans, or target them with phishing attacks.  Read Less
April 28, 2020
Anna Russell
EMEA VP
comforte AG
Given the troves of personal information stored within universities and other higher education institutions, they will always be a target for cybercriminals. As a private individual, sometimes there’s no way to be sure that the services we use are protected by an adequate amount of security. Even if you don’t enter your ID, name, address, or even payment details, they can be used to start fraudulent activities. Nevertheless, organizations have to disclose a breach and inform users as soon.....Read More
Given the troves of personal information stored within universities and other higher education institutions, they will always be a target for cybercriminals. As a private individual, sometimes there’s no way to be sure that the services we use are protected by an adequate amount of security. Even if you don’t enter your ID, name, address, or even payment details, they can be used to start fraudulent activities. Nevertheless, organizations have to disclose a breach and inform users as soon as possible to preserve trust. A fast response is only possible when already having a sophisticated incident response strategy in place. While the chances of being breached are higher than ever before, there is not much you can do about it. With an ever-growing attack surface, building just another wall around your network is not the best way forward. Especially when it comes to phishing attacks. In the end, the most important thing to do is to protect your customers' data. With modern solutions such as FPE or tokenization, you can render PII (including names, addresses, and IDs) useless to hackers.  Read Less
April 29, 2020
Jake Moore
Cybersecurity Specialist
ESET
To not disclose details or even admit to a data breach by today’s standards is rather poor practice. It is vital that the potential victims at the university are made aware of the hacking even if the university struggled to understand the full extent or specifics of the breach. It is always commendable when an organisation comes clean on any sort of attack, however trivial it may be. It can be far more damaging to try and cover it up where reputation is concerned. It could be argued that.....Read More
To not disclose details or even admit to a data breach by today’s standards is rather poor practice. It is vital that the potential victims at the university are made aware of the hacking even if the university struggled to understand the full extent or specifics of the breach. It is always commendable when an organisation comes clean on any sort of attack, however trivial it may be. It can be far more damaging to try and cover it up where reputation is concerned. It could be argued that prospective students looking to attend the university may even lose trust in them if this is how they deal with trying to cover up personal data compromises. It is far better to own up to attacks, especially given that constant attacks against organisations from cyber criminals across the world mean that breaches will inevitably happen. Many people are more forgiving now and tend to appreciate it when organisations own up at the earliest opportunity and even show where their failings have laid.  Read Less
April 29, 2020
Brian Higgins
Security Specialist
Comparitech.com
This is a very alarming set of circumstances. Insider Threat has long been one of the most dangerous of Cyber vulnerabilities but for an institution like Warwick University to fall victim to such an attack will have wide-reaching consequences. The breaches mentioned in the story will undoubtedly attract financial penalties from the ICO under the General Data Protection Regulations (GDPR). Failing to report the breaches can also be met with separate, but substantial, fines. Appointing a wholly.....Read More
This is a very alarming set of circumstances. Insider Threat has long been one of the most dangerous of Cyber vulnerabilities but for an institution like Warwick University to fall victim to such an attack will have wide-reaching consequences. The breaches mentioned in the story will undoubtedly attract financial penalties from the ICO under the General Data Protection Regulations (GDPR). Failing to report the breaches can also be met with separate, but substantial, fines. Appointing a wholly unqualified person to manage Information Security is not likely to be a defence against either and should be a very sharp wake-up call to all academic, and other institutions, that their houses should have been in order for at least two years already. The likely financial blow will be exacerbated by the current economic state of all Universities brought about by the COVID-19 pandemic. Furloughed staff, closed buildings, remote tuition and the almost certain knock-in effect on domestic and overseas student intake for the next Academic year will see a very sharp drop in fees and revenue. Warwick will suffer badly here as their reputation for securing the information of their staff, Academics and students, coupled with the disgraceful manner in which this breach was managed, is not something that can be easily recovered. Data Protection should be a Board-level responsibility with all the resources and budget of every other department. Warwick is just about to find out why that’s so important in the Digital economy. I hope every other institution learns from their mistake.  Read Less
April 29, 2020
Laurie Mercer
Security Engineer
HackerOne
Warwick University suggests this was a failing in skills and experience. This is logical, there is a cyber security skills shortage. Warwick is missing a trick in not harnessing student power to help shore up security. The National University of Singapore has run a number of successful challenges whereby students are invited to test their skillsets and find vulnerabilities in the university's network. The last one saw 13 valid vulnerabilities reported, and the students benefited from monetary .....Read More
Warwick University suggests this was a failing in skills and experience. This is logical, there is a cyber security skills shortage. Warwick is missing a trick in not harnessing student power to help shore up security. The National University of Singapore has run a number of successful challenges whereby students are invited to test their skillsets and find vulnerabilities in the university's network. The last one saw 13 valid vulnerabilities reported, and the students benefited from monetary rewards with more than 3,600 pounds being paid to students. Hacker powered security is the most effective way to find vulnerabilities before they can be exploited. I wish I had the chance to contribute to the security of my University when I was an undergraduate. The bugs the NUS students found, including critical reports, show that they have the skills that are needed to create a safer internet and I'd love to see more universities test their systems and their students in this way.  Read Less
April 29, 2020
Robert Meyers
Channel Solutions Architect and Fellow of Information Privacy
One Identity
This highlights an ambiguity between Articles 33 and 34 of the GDPR. There is no leeway for communications to a supervisory authority, the rule is 72 hours. However, article 34 is where the treatment of impacted individuals gets more messy. The quote from the GDPR is, “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay”, so what.....Read More
This highlights an ambiguity between Articles 33 and 34 of the GDPR. There is no leeway for communications to a supervisory authority, the rule is 72 hours. However, article 34 is where the treatment of impacted individuals gets more messy. The quote from the GDPR is, “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay”, so what defines high risk? There are no rules here, and this is an area that is a failure in the GDPR when it comes to individuals. There should have been communications, however, there is to much ambiguity when there is no timeline, nor is there a definitive requirement to notify the individual.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.