简体中文
Students and staff at the University of Warwick have been left in the dark about critical cyber security issues which could have allowed hackers to steal their data, Sky News has learnt.
An internal audit of IT systems at the university found security was not only unable to prevent hackers accessing data, but it couldn't even have detected whether they had done so, according to the document seen by Sky News.
The university's executive office knew of these issues last July, but chose not to inform staff and students about the dangers they faced using Warwick's network.
Last month an executive summary of another audit - this time by the data protection watchdog, the Information Commissioner's Office - was published, providing the first mention of these security risks which either students or staff had heard about.
As part of the ICO's audit, more than 60 recommendations were made to the university regarding how it secures personal data, 15 of which were rated urgent.
Image:The ICO audit made more than 60 security recommendations to the university
The details of these issues were not included in the executive summary, which noted that a number of technical vulnerabilities were "communicated separately to the university's executive function".
But well before the regulator's audit this year, a number of critical vulnerabilities had been known to the university's executive since at least last July, Sky News has learnt, when their own internal audit was completed.
Summarising this work, the auditors wrote: "Our findings suggest that there are insufficient cyber security measures in place to adequately protect IT systems and data."
They added that their testing "indicated that existing IT security could not detect attempts to scan and hack systems", giving hackers free range to probe the university network.
Not only were these basic security standards missing, but they added: "No solution was in place to detect if data was to be accessed, copied or changed."
So even after a breach took place, there was nothing in place at the university to identify it, meaning staff and students could have already been victims of data breaches but there would be no evidence to inform them of it.
Many of the vulnerabilities identified in the July audit are too severe to publicly reveal in detail, but they include the widespread use of software with known vulnerabilities and a lack of control on the creation and password protection of administrator accounts.
Despite the huge risk these issues introduced for staff and students using the University's systems to store personal data and potentially valuable academic work, there were no warnings sent to them last July.
Coronavirus UK tracker:
In a statement to Sky News, the University's director of press and policy, Peter Dunn, said that "the audit was communicated to all of our staff last month".
It is not clear what this communication was, and whether any efforts were made to communicate the security issues to students. Multiple students and staff who Sky News spoke to said they had not been informed.
Mr Dunn was unable to clarify the above, and whether the audit he referenced was the ICO audit, an executive summary of which is publicly available, or the more damning internal audit which Sky News had seen.
He said: "Obviously the great majority of our buildings are on campus are now closed and staff are working from home as best they can so there is nothing more I will be able to provide until normal operations resume."
Mr Dunn did not respond to Sky News suggesting he communicate with those colleagues via email while they were working from home.
A spokesperson for the ICO said: "We contacted the University of Warwick to assess their data protection practices as part of an audit.
"This followed concerns we had about how the university was handling personal data. We made several recommendations to the university and will be following up to assess improvements made."
Race for the Vaccine: The drug that could save millions
Jim Killock, the executive director of Open Rights Group, said: "The ICO seems to have done an excellent job assessing poor management and dodgy data security practices at Warwick.
"It is appalling that the university itself understood that it was running risks and hid these from staff and students.
"Transparency and recognition that change is needed is vital for any institution to learn and improve. The ICO should impose fines if the University doesn't sort itself out," Mr Killock added.
Universities are "an attractive target for adversaries," warned Zeki Turedi, technology strategist at cyber security firm CrowdStrike.
"Now more than ever, as universities prioritise their research initiatives and entire departments are working hard to support efforts to understand and respond to COVID-19, foreign entities will be looking to gain access to critical information."
Mr Turedi noted two universities based in Hong Kong were hacked earlier this year by an organisation based in China known as Wicked Panda.
Last year, the UK's National Cyber Security Centre issued a warning to universities in the UK that they were facing key cyber threats from criminals seeking financial gain, and from state-sponsored hackers looking to steal personal data and intellectual property.
CrowdStrike's Mr Turesi said it was critical that universities have a holistic view of their environment, just as the July audit recommended, and have control and visibility over all of the activity in their network.
"This includes having an understanding of the broader threat environment so they can understand adversaries and their techniques, learn from attacks, and take action on indicators to improve their overall defences," he added.
**If you would like to contact **
Alexander Martin
**, you can reach him securely using the private messaging app Signal on +44 (0)7970 376 704 or at [email protected]
via email**
