More Nottingham-style cyberattacks a ‘case of when, not if’

A spate of attacks on learning systems used by UK universities show they are seen as “juicy targets” by cyberattackers, with some institutions moving “faster than others” when it comes to recognising the threat.

A compromised student records platform at the University of Nottingham has led to the details of hundreds of thousands of students and alumni being seized by criminal group ShinyHunters, weeks after the same gang targeted Canvas, used by thousands of institutions worldwide. The latest incidents came after a government study released last month found that attacks on universities are becoming more prevalent across the board. 

The Information Commissioner’s Office (ICO) has instructed universities to treat cybersecurity as a “core organisational priority” in the wake of the attacks and said it “will consider further regulatory action where necessary” when organisations fail to do all they can to protect sensitive information.

Tim Stevens, a reader in international security at King’s College London, said while the full details of the Nottingham case are still unknown, it – and the Canvas incident – “raises the question of whether universities are exposing themselves to cyber incidents through their use of third-party software solutions for education provision and management”.

“This is a problem faced by millions of organisations that outsource functions to third parties because they cannot provide them as efficiently in-house,” he said.

The problem, however, is that “it is difficult to envisage an alternative”, said Stevens.

“Universities are less able to develop and maintain bespoke virtual learning environments and management platforms because of the sunk costs involved.

“It is simply not feasible for university IT teams to build these platforms, or to maintain them in real time to meet users’ needs and security standards.”

He added: “For now, universities have little choice but to resort to third-party solutions, and they will need reassuring that this is still the most cost-effective and efficient solution to managing their sensitive data.”

Alan Woodward, an academic at the Surrey Centre for Cyber Security, said the Nottingham attack would not be the last. “For any organisation, not just universities, it’s a case of when, not if,” he warned.

Although Woodward believed most university leaders “have got the message” on the “absolutely essential cost” of investing in robust cybersecurity protection, he admitted “some are doing it faster than others” and “there’s not an endless pot of money”.

Nonetheless, it should be seen as a crucial investment, Woodward said, with universities a highly desirable proposition for hackers looking to steal and sell sensitive personal information.

“They make juicy targets,” said Woodward, noting that a renewed crop of undergraduate and postgraduate students each year represents “an ever-increasing source” for hackers. The Nottingham hack included information such as passport numbers and financial details being stolen.

Thomas Lancaster, a principal teaching fellow in computing at Imperial College London, said the sensitivity of this data leads hackers to target universities at crunch points in the academic year.

“They know, for instance, how disruptive a successful attack on university systems can be during exam season, and how universities can then feel compelled to pay up,” Lancaster said, adding that “so many of the risks relate to people” and their individual use of university systems.

“From my wider work on student cheating, I know of students sharing their login details to university learning systems so that other people can do their work for them,” he said.

“From there, an unscrupulous individual can often get access to all kinds of contact information, unreleased teaching materials and the like.”

Lancaster said organisations often reacted too slowly after attacks and failed to prepare for how they will keep staff, students and third parties informed after the fact.

“Individual staff and students need training,” he added. “A voice call might seem legitimate, but current generative AI makes it so easy to set up a voice clone. Simply put, universities need stronger identity controls all around.”

In Nottingham’s case, the situation is still developing and is now the subject of a criminal investigation.

The university has in the meantime set up a telephone helpline to provide support and advice for those concerned.

A spokesperson said: “The investigation is complex so will take some time to complete.

“We understand that it is frustrating that we do not have any more information at this stage. We are working within established timescales on this investigation, and we continue to provide students with information about how to best protect themselves and will be following up with students to provide fraud prevention services.”

georgia.luckhurst@timeshighereducation.com