It has been reported that Warwick University was hacked and kept breach secret from students and staff. The security incident occurred when a staff member installed remote-viewing software enabling hackers to steal sensitive personal information on students, staff and even volunteers taking part in research studies. The university’s security system was reportedly so poor, it was impossible for Warwick to detect what data had been stolen and who was impacted.
To not disclose details or even admit to a data breach by today’s standards is rather poor practice. It is vital that the potential victims at the university are made aware of the hacking even if the university struggled to understand the full extent or specifics of the breach.
It is always commendable when an organisation comes clean on any sort of attack, however trivial it may be. It can be far more damaging to try and cover it up where reputation is concerned. It could be argued that prospective students looking to attend the university may even lose trust in them if this is how they deal with trying to cover up personal data compromises.
It is far better to own up to attacks, especially given that constant attacks against organisations from cyber criminals across the world mean that breaches will inevitably happen. Many people are more forgiving now and tend to appreciate it when organisations own up at the earliest opportunity and even show where their failings have laid.
This is a very alarming set of circumstances. Insider Threat has long been one of the most dangerous of Cyber vulnerabilities but for an institution like Warwick University to fall victim to such an attack will have wide-reaching consequences. The breaches mentioned in the story will undoubtedly attract financial penalties from the ICO under the General Data Protection Regulations (GDPR). Failing to report the breaches can also be met with separate, but substantial, fines. Appointing a wholly unqualified person to manage Information Security is not likely to be a defence against either and should be a very sharp wake-up call to all academic, and other institutions, that their houses should have been in order for at least two years already.
The likely financial blow will be exacerbated by the current economic state of all Universities brought about by the COVID-19 pandemic. Furloughed staff, closed buildings, remote tuition and the almost certain knock-in effect on domestic and overseas student intake for the next Academic year will see a very sharp drop in fees and revenue.
Warwick will suffer badly here as their reputation for securing the information of their staff, Academics and students, coupled with the disgraceful manner in which this breach was managed, is not something that can be easily recovered.
Data Protection should be a Board-level responsibility with all the resources and budget of every other department. Warwick is just about to find out why that’s so important in the Digital economy. I hope every other institution learns from their mistake.
Warwick University suggests this was a failing in skills and experience. This is logical, there is a cyber security skills shortage.
Warwick is missing a trick in not harnessing student power to help shore up security. The National University of Singapore has run a number of successful challenges whereby students are invited to test their skillsets and find vulnerabilities in the university\’s network. The last one saw 13 valid vulnerabilities reported, and the students benefited from monetary rewards with more than 3,600 pounds being paid to students.
Hacker powered security is the most effective way to find vulnerabilities before they can be exploited. I wish I had the chance to contribute to the security of my University when I was an undergraduate. The bugs the NUS students found, including critical reports, show that they have the skills that are needed to create a safer internet and I\’d love to see more universities test their systems and their students in this way.
This highlights an ambiguity between Articles 33 and 34 of the GDPR. There is no leeway for communications to a supervisory authority, the rule is 72 hours. However, article 34 is where the treatment of impacted individuals gets more messy. The quote from the GDPR is, “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay”, so what defines high risk? There are no rules here, and this is an area that is a failure in the GDPR when it comes to individuals. There should have been communications, however, there is to much ambiguity when there is no timeline, nor is there a definitive requirement to notify the individual.
Suffering breaches are part and parcel for most organisations these days and a cost of doing business with any digital resources. However, transparency is a key part of incident response and it\’s imperative that impacted parties are notified as soon as feasible. This isn\’t just pragmatic from an operational perspective, but also required from GDPR.
Individuals could be put at more risk by not disclosing the breach to them. Depending on the individuals information stole, criminals could use it to steal identities, take out loans, or target them with phishing attacks.