The Information Commissioners Office recently found multiple instances of data breaches suffered by Warwick University that were not reported to affected staff, students, and volunteers.
According to information obtained by Sky News, Warwick University suffered multiple data breaches in 2019 that resulted in hackers gaining access to the university's admin network but the university chose to hide it from the students, staffs, and volunteers who were involved in research projects.
The security breach took place in 2019 when a staff member at the university installed a remote-viewing software that was exploited by hackers to gain access to students' information and personal information of staff members and volunteers at the educational facility. Warwick University has not commented about the security incident as yet.
It has been reported that the security system of the university was so poor, that it was impossible to identify what data had been stolen and who was impacted.
The Information Commissioner's Office carried out a data protection audit of Warwick University in March this year year and recommended more than 60 ways on how to secures personal data, 15 of which were rated urgent. During the course of its audit, ICO discovered many flaws in the university's security system that included:
- The University did not implement wireless network segregation
- The University did not have a strategic lead for all aspects of information security covering the whole organisation
- The University lacked centralised oversight of information security processes, control, and potential risk at the departmental level.
- There was a lack of oversight and control over data from certain core systems feeding into
other information resources risking unanticipated data leakage.
- There was no separation between student and staff email address directories, raising the risk of information being sent to a student incorrectly.
- The University did not undertake coordinated actions in response to persistent security issues, for example having continuous monitoring at DPPG, detailing an action plan with cross-departmental procedures, and swift drafting and deployment of policy reinforced by training and awareness.
The Information Commissioner's Office also found that Warwick University had not mandated information governance training across departments, did not provide data protection training to departments that processed data covered by GDPR, and did not provide additional training to staff who were involved in security incidents.
Based on its findings, ICO recommended that Warwick's registrar and executive lead for data protection, Rachel Sandby-Thomas, who was responsible for IT services, should be removed as she lacked the “specialist skill set and experience" and that she had been the executive lead for IT and data protection at the university since 2016 when multiple security incident occurred.
"The registrar fully agreed with the report's finding that we should give those areas of responsibility to someone with a specialist skill set and experience. As previous structures clearly did not deliver all the change and improvements we had sought in this area, it is no surprise that we also sought to change and improve these structures.
"We have therefore introduced two new committees to provide enhanced oversight and advice which bring in a wealth of talent including one of Europe's leading cyber security professors. A new chief information and digital officer has been hired who reports directly to the vice chancellor," Warwick University said.
Commenting on various security incidents suffered by Warwick University as a result of poor security protocols, Javvad Malik, security awareness advocate at KnowBe4, told TEISS that “suffering breaches are part and parcel for most organisations these days and a cost of doing business with any digital resources. However, transparency is a key part of incident response and it's imperative that impacted parties are notified as soon as feasible. This isn't just pragmatic from an operational perspective, but also required from GDPR.
According to Anna Russell, EMEA VP at comforte AG, with an ever-growing attack surface, building just another wall around your network is not the best way forward, especially when it comes to phishing attacks. In the end, the most important thing to do is to protect your customers' data. With modern solutions such as FPE or tokenization, you can render PII (including names, addresses, and IDs) useless to hackers.