Luminate Education Group suffered a cyber attack last week that affected a number of Leeds-based colleges such as Leeds City College, Harrogate College, Keighley College, and University Centre Leeds.
Earlier today, Luminate Education Group said the cyber attacks took place on 11th August and resulted in operational disruption to its IT network that resulted in a delay in the announcement of students' A-Level and GCSE results.
Without revealing the nature of the cyber attack, the education group said it set up a temporary, secure system to distribute students’ results and also engaged dedicated, external experts, to carry out an investigation into the cyber incident.
“On 11 August, some members of Luminate Education Group were targeted by a cyber attack, causing operational disruption. Since we became aware of the incident we have been working closely with the Education & Skills Funding Agency (ESFA), the National Cyber Security Centre (NCSC) and the Cyber Crime Unit from the National Crime Agency (NCA).
“We also engaged a group of dedicated, external experts who immediately launched an investigation into the incident, which is ongoing. The Information Commissioner’s Office has been notified. We’d like to reassure everyone that our student learning system has not been impacted by the cyber attack. We are reopening in September as planned and we look forward to welcoming our returning and newly enrolled students,” the group said.
A spokesperson for Luminate Education Group told BBC that the affected colleges included Leeds City College, Keighley College, Harrogate College, Leeds Sixth Form College and University Centre Leeds. The education group has not commented on whether the cyber attack resulted in the loss of data.
Commenting on the cyber attack on Luminate Education Group, Matt Aldridge, Principal Solutions Architect at Webroot, said that educational institutions should take this case as a wake-up call to address their cybersecurity and privacy compliance quickly as criminals Criminals are targeting providers due to a perceived weakness in their cybersecurity, as well as the value in their data.
"As the education sector is a huge pool of sensitive data, organisations within it need to engage cyber-resilience plans to protect their IT infrastructure and data regardless of the crisis. Also, staff training is essential for defending against phishing attacks and business email compromise.
"The training materials used also need to be updated continuously to reflect the latest threat trends, and regular simulations should be run to ensure that the training has the desired effect,” he added.
As far as providing cyber security training to faculty and staff and securing IT networks are concerned, UK universities still have a long way to go. A recent study by security firm Redscan found that even though universities find themselves at the end of millions of phishing emails every year, the average university is spending only £7,529 per year on security training and is hiring just three qualified cyber security professionals.
Redscan learned that only 66 out of 134 UK universities have Cyber Essentials or Cyber Essential Plus certification, 49% are not proactive in providing security training and information to students, 12% of universities do not offer any kind of security guidance, support or training at all to students, and 46% of all university staff in the UK received no security training in the last year.
These figures reveal the state of cyber security in UK universities and indicate that there is no real seriousness in protecting intellectual property, precious research work, or the personal data of staff and students from cyber criminals who use a range of phishing tactics to lure universities into sending over money or data or carry out DDoS attacks to shut down IT networks.