Student Loans Company Hit by One Million Cyber-Attacks

Written by

The UK’s Student Loans Company (SLC) has been forced to repel nearly one million cyber-attacks over the course of the last financial year, highlighting the growing risk to organizations from hackers.

Think tank Parliament Street sent a Freedom of Information (FOI) request to the non-profit government body, which provides loans and grants to students in the UK.

It revealed the organization was hit by 965,639 separate attacks in the financial year 2017/18. There was little further info on exactly what type of attacks these were, although they included SQLi attempts.

On top of these figures, the SLC broke down a further 323 malware attempts and 235 malicious emails or calls.

Some 127 attempted attacks were not blocked and therefore treated as full blown “incidents,” compared to three attempts in financial year 2015/16 and 95 in 2016/17. However, only one attack succeeded in breaching the SLC’s defenses.

“There was a successful infection of slc.co.uk with Monero cryptocurrency mining malware via a third-party plugin,” the FOI response, sent to Infosecurity, revealed.

“Slc.co.uk is hosted by a third-party supplier, so this was run as a third-party incident. slc.co.uk hosts publicly available material only and no customer data was involved.”

Although the number of attacks sneaking through the perimeter appears to have peaked in 2017/18, the number of malware attempts spiked the previous year. In 2016/17 there were 1015 recorded.

An SLC statement sent to Infosecurity sought to reassure the public.

“It is worth stressing that, while we remain permanently aware and vigilant, every one of these attempts was detected and prevented at an early stage, with no violation of systems or data security. Cybersecurity will always remain a top priority for SLC and we continue to invest in the technical expertise and resources required to keep information safe,” it noted.

It’s understandable that the SLC is a major target for hackers, given the trove of financial and personal data it stores on the nation’s students. The firm is also a popular target for phishers, who often spoof the organization in an attempt to trick students into disclosing their personal details.

In 2014 it received a dressing down from the ICO after sending applicants’ personal information including medical details to the wrong recipients.

“It’s no surprise that cyber-criminals are relentlessly targeting the personal financial details of students, putting the well-being of tens of thousands of individuals at risk,” said Imperva CTO, Terry Ray. “Tackling this problem means investing heavily in the latest cybersecurity measures, to keep hackers out and limit the risk of a major data breach.”

What’s hot on Infosecurity Magazine?