[BreachExchange] Warwick University was hacked and kept breach secret from students and staff

[Destry Winant]

https://news.sky.com/story/warwick-university-was-hacked-and-kept-breach-secret-from-students-and-staff-11978792

Hackers accessed the University of Warwick's administrative network
last year in an attack which has been kept secret from the affected
individuals and organisations, Sky News has learnt.

The security incident occurred when a staff member installed
remote-viewing software enabling hackers to steal sensitive personal
information on students, staff and even volunteers taking part in
research studies.

Because cyber security protections at the university were so poor, as
per the findings of an internal report revealed by Sky News earlier
this month, it was impossible for the university to identify what data
had been stolen.

Several sources have told Sky News this was one of multiple data
breaches which have taken place at Warwick, which regularly receives
more than £120m in research grants each year.

Warwick's registrar and executive lead for data protection, Rachel
Sandby-Thomas, who is ultimately responsible for IT services, did not
inform any of the individuals or research bodies whose data was stored
on the administrative network about these breaches or the risks they
were exposed to.

The university declined to respond to this point when it was put to them.

An executive summary of another audit - this time by the data
protection watchdog, the Information Commissioner's Office - was
published in March, providing the first mention of these security
risks which either students or staff had heard about.

Sky News has learnt that during the final meeting concluding the ICO's
audit, the regulator recommended that Ms Sandby-Thomas should be
removed as chair of the university's data protection privacy group
(DPPG), saying it should instead should be chaired by someone with
data protection expertise.

The university told Sky News: "The registrar fully agreed with the
report's finding that we should give those areas of responsibility to
someone with a specialist skill set and experience."

Despite not having this "specialist skill set and experience", Ms
Sandby-Thomas had been the executive lead for IT and data protection
at the university since 2016 - a period during which multiple security
incidents occurred.

After the recommendation was made that she stand down from chairing
the DPPG, the registrar disbanded the committee.

The university confirmed: "As previous structures clearly did not
deliver all the change and improvements we had sought in this area, it
is no surprise that we also sought to change and improve these
structures.

"We have therefore introduced two new committees to provide enhanced
oversight and advice which bring in a wealth of talent including one
of Europe's leading cyber security professors."

A new chief information and digital officer, who reports directly to
the vice chancellor, has also been hired.

The university told Sky News: "We have also unsurprisingly, and for
the same reasons, made changes to the operation and focus of the
management and administrative team for that area of work, but all of
those staff remain employed by the university."

The tense of the phrase "remain employed" is significant, according to
multiple sources at the university who say staff have been informed of
an ongoing restructuring, and expect this to involve redundancies.

Sky News has seen an internal email featuring the registrar joking
about the cyber security audit, telling staff it was "tomato coloured"
and dismissing their potential interest in knowing whether their data
was at risk by saying: "If I told you what, I'd have to kill you."

In the same email, the registrar acknowledged that she attempted to
refuse to allow the ICO to conduct its voluntary audit until she was
informed that the alternative to a voluntary audit was a "compulsory
less friendly one".

The university said: "The registrar's comments simply confirmed and
supported the more formal communications to staff that there were a
number of areas, in both our own analysis and the ICO audit, that
clearly should be red flagged.

"They also confirmed the ICO's and our own assessment that only the
summary audit report should be public as the publication of the full
report could potentially undermine the work to implement its actual
recommendations."

But the risks to student and staff data, as highlighted by multiple
data protection incidents, were not made public as part of the summary
audit report.

Sources at the university told Sky News they would like the council to
hold an independent investigation into the executive lead's handling
of these incidents.

The university declined to respond to whether the executive would
support such an investigation.