Organisations like universities that handle significant amounts of confidential and personal information are increasingly being targeted by cyber criminals. In this article SecureTeam looks at the damage data breaches are causing in UK universities
Earlier this year a spokesperson for Lancaster University announced that the university had been the victim of a “Sophisticated and Malicious” cyberattack that had ended in two data breaches and the loss of confidential and personal data of a number of future and current students.
Malicious third-party attackers made use of tried and tested methods that are common to phishing scams and are a favourite of hackers. These data breaches have highlighted a vulnerability in university cybersecurity solutions as well as demonstrated how university staff and students are lacking in awareness of the risks cyber attackers present.
Lancaster University data breach
The data breach has resulted in the personal information, such as names, addresses, email addresses and telephone numbers, of potentially 12,500 applicants for 2019 and 2020 as well as a “small number of current students.” Applicants that applied during clearing are thought to not have been affected by the data breach.
Lancaster University reacted to the data breach by creating an incident team to handle the fallout and has contacted the students who were directly affected, informing them that their information and records had been breached as well as providing them with advice on what to do next.
Lancaster Univerisity also released a statement saying that “We have focused on safeguarding our IT systems and identifying and advising students and applicants who have been affected.”
However, the damage has been done and several prospective students have been sent fraudulent invoices for university courses, which, if paid, could represent a potentially high return for the malicious hackers. The university has encouraged those effected to remain vigilant.
Other UK university data breaches
Lancaster University isn’t the first British university to fall victim to a cyber-attack this year. Students from several universities, including Manchester, Coventry and Bristol have all fallen victim to similar attacks over the last year.
The University of York has also seen the private information of 88 students accessed as well as the “basic data” of 4,400 students downloaded. The university was quick to reassure that this did not include any financial information.
This pattern shows that universities are in need of escalating their cybersecurity procedures and increase their efforts to educate their staff and students on the risk presented by phishing attacks to help safeguard the confidential data that they hold.
The phishing scam threat
It is important to note that all organisations can never be completely risk-free of a malicious attack and that this isn’t necessarily a failure on Lancaster University. In fact, Lancaster University was fully compliant with all cybersecurity standards and they “have always taken data security responsibilities very seriously”.
However, the threat that phishing emails represent is something all organisations should be prepared to deal with, as well as staff students. Luckily, a small amount of education can go a long way and there are some common trends that make phishing emails stand out. By sharing these with students, universities can help to cut down on the risk of fraudulent emails and invoices.
Trends common in phishing emails:
- Spelling or grammar mistakes – phishing emails are often written by bots and therefore contain spelling and grammar errors. Carefully read any emails that appear to come from a respectable source before acting on them.
- Incorrect email address – try as they might, phishing email addresses rarely stand up to scrutiny very long. Always check the sender’s address before you respond to any official email.
- Stressing time-sensitivity – phishing emails will always try to pressure you to act quickly. An organisation such as a university would never demand that you make any payments on short notice, so be wary of any emails that do.
- Dramatic wording – phishing emails commonly make use of dramatic or exciting language to try and pressure you to act quickly for fear of punishment. This is a good giveaway and helps to identify spam emails.
- Unusual subject lines – A common tactic is to include the genuine email address in the subject line to try and confuse the recipient. Compare the email to others received from the organisation to see if they style matches.
How to protect yourself from phishing scams
There are some simple ways to protect yourself from phishing emails that apply to everyone, not just university students. These include:
- Be suspicious of any emails that demand urgent financial action.
- If suspicious, do not click the link in the email. Instead, type the address manually.
- Be aware of the email style and structure of any organisation you are expecting important emails from.
How organisations like universities can safeguard their confidential data
Having students be aware of the threat and able to protect themselves is a vital step. However, as the data handlers, it is up to organisations such as universities to safeguard any sensitive and personal data that they are holding.
Universities can help to protect students by clearly outlining their content procedures from the start. By confirming a single sender address, providing information on what would and wouldn’t be asked over email and providing advice on how to spot phishing emails universities can help potential students protect themselves from making rash actions during a stressful time.
Universities also need to protect themselves from unauthorised access, which often leads to data breaches such as in Lancaster University’s case. Organisations should be routinely reviewing admin logins and user privileges to ensure that dormant logins that could be exploited no longer have access to any sensitive data. In organisations like universities where the networks are sprawling with hundreds if not thousands of logins, vigilance can help to prevent dormant accounts or privileges being exploited by a malicious attacker.